v1alpha1

package
v0.0.0-...-acbe9ce Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2024 License: Apache-2.0 Imports: 3 Imported by: 7

Documentation

Overview

Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.

Index

Constants

View Source 
const (
	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")

	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
View Source 
const GroupName = "idp.supervisor.pinniped.dev"

Variables

View Source 
var (
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects.

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource.

Types

type ActiveDirectoryIdentityProvider 

type ActiveDirectoryIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
}

ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*ActiveDirectoryIdentityProvider) DeepCopy 

func (in *ActiveDirectoryIdentityProvider) DeepCopy() *ActiveDirectoryIdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.

func (*ActiveDirectoryIdentityProvider) DeepCopyInto 

func (in *ActiveDirectoryIdentityProvider) DeepCopyInto(out *ActiveDirectoryIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ActiveDirectoryIdentityProvider) DeepCopyObject 

func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ActiveDirectoryIdentityProviderBind 

type ActiveDirectoryIdentityProviderBind struct {
	// SecretName contains the name of a namespace-local Secret object that provides the username and
	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
	// The password must be non-empty.
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

func (*ActiveDirectoryIdentityProviderBind) DeepCopy 

func (in *ActiveDirectoryIdentityProviderBind) DeepCopy() *ActiveDirectoryIdentityProviderBind

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.

func (*ActiveDirectoryIdentityProviderBind) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderBind) DeepCopyInto(out *ActiveDirectoryIdentityProviderBind)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderGroupSearch 

type ActiveDirectoryIdentityProviderGroupSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
	// "ou=groups,dc=example,dc=com".
	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
	// The default behavior searches your entire domain for groups.
	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
	// for security reasons or to make searches faster.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
	// value of an attribute of the user entry found as a result of the user search. Which attribute's
	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
	// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
	// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the filter were specified as
	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
	// This searches nested groups by default.
	// Note that nested group search can be slow for some Active Directory servers. To disable it,
	// you can set the filter to
	// "(&(objectClass=group)(member={})"
	// +optional
	Filter string `json:"filter,omitempty"`

	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
	// For example, specifying "uid" as the UserAttributeForFilter while specifying
	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
	// +optional
	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`

	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
	// the result of the group search.
	// +optional
	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`

	// The user's group membership is refreshed as they interact with the supervisor
	// to obtain new credentials (as their old credentials expire).  This allows group
	// membership changes to be quickly reflected into Kubernetes clusters.  Since
	// group membership is often used to bind authorization policies, it is important
	// to keep the groups observed in Kubernetes clusters in-sync with the identity
	// provider.
	//
	// In some environments, frequent group membership queries may result in a
	// significant performance impact on the identity provider and/or the supervisor.
	// The best approach to handle performance impacts is to tweak the group query
	// to be more performant, for example by disabling nested group search or by
	// using a more targeted group search base.
	//
	// If the group search query cannot be made performant and you are willing to
	// have group memberships remain static for approximately a day, then set
	// skipGroupRefresh to true.  This is an insecure configuration as authorization
	// policies that are bound to group membership will not notice if a user has
	// been removed from a particular group until their next login.
	//
	// This is an experimental feature that may be removed or significantly altered
	// in the future.  Consumers of this configuration should carefully read all
	// release notes before upgrading to ensure that the meaning of this field has
	// not changed.
	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}

func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopy 

func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.

func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearch)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderGroupSearchAttributes 

type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
	// in the user's list of groups after a successful authentication.
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
	// where domain is constructed from the domain components of the group DN.
	// +optional
	GroupName string `json:"groupName,omitempty"`
}

func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy 

func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearchAttributes

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.

func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearchAttributes)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderList 

type ActiveDirectoryIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []ActiveDirectoryIdentityProvider `json:"items"`
}

List of ActiveDirectoryIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ActiveDirectoryIdentityProviderList) DeepCopy 

func (in *ActiveDirectoryIdentityProviderList) DeepCopy() *ActiveDirectoryIdentityProviderList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.

func (*ActiveDirectoryIdentityProviderList) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderList) DeepCopyInto(out *ActiveDirectoryIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ActiveDirectoryIdentityProviderList) DeepCopyObject 

func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ActiveDirectoryIdentityProviderPhase 

type ActiveDirectoryIdentityProviderPhase string
const (
	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"

	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"

	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
)

type ActiveDirectoryIdentityProviderSpec 

type ActiveDirectoryIdentityProviderSpec struct {
	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
	// +kubebuilder:validation:MinLength=1
	Host string `json:"host"`

	// TLS contains the connection settings for how to establish the connection to the Host.
	TLS *TLSSpec `json:"tls,omitempty"`

	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`

	// UserSearch contains the configuration for searching for a user by name in Active Directory.
	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`

	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}

Spec for configuring an ActiveDirectory identity provider.

func (*ActiveDirectoryIdentityProviderSpec) DeepCopy 

func (in *ActiveDirectoryIdentityProviderSpec) DeepCopy() *ActiveDirectoryIdentityProviderSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.

func (*ActiveDirectoryIdentityProviderSpec) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectoryIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderStatus 

type ActiveDirectoryIdentityProviderStatus struct {
	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

Status of an Active Directory identity provider.

func (*ActiveDirectoryIdentityProviderStatus) DeepCopy 

func (in *ActiveDirectoryIdentityProviderStatus) DeepCopy() *ActiveDirectoryIdentityProviderStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.

func (*ActiveDirectoryIdentityProviderStatus) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderStatus) DeepCopyInto(out *ActiveDirectoryIdentityProviderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderUserSearch 

type ActiveDirectoryIdentityProviderUserSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
	// E.g. "ou=users,dc=example,dc=com".
	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
	// The default behavior searches your entire domain for users.
	// It may make sense to specify a subtree as a search base if you wish to exclude some users
	// or to make searches faster.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
	// https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will be
	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
	// and is not shown in advanced view only
	// (which would likely mean its a system created service account with advanced permissions).
	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
	// +optional
	Filter string `json:"filter,omitempty"`

	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
	// the result of the user search.
	// +optional
	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}

func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopy 

func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopy() *ActiveDirectoryIdentityProviderUserSearch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.

func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearch)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderUserSearchAttributes 

type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
	// of the user after a successful authentication.
	// Optional, when empty this defaults to "userPrincipalName".
	// +optional
	Username string `json:"username,omitempty"`

	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
	// identify the user within this ActiveDirectory provider after a successful authentication.
	// Optional, when empty this defaults to "objectGUID".
	// +optional
	UID string `json:"uid,omitempty"`
}

func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy 

func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderUserSearchAttributes

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.

func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto 

func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearchAttributes)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateAuthorityDataSourceKind 

type CertificateAuthorityDataSourceKind string

CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.

+kubebuilder:validation:Enum=Secret;ConfigMap

type CertificateAuthorityDataSourceSpec 

type CertificateAuthorityDataSourceSpec struct {
	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
	// Allowed values are "Secret" or "ConfigMap".
	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
	Kind CertificateAuthorityDataSourceKind `json:"kind"`
	// Name is the resource name of the secret or configmap from which to read the CA bundle.
	// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
	// +kubebuilder:validation:MinLength=1
	Name string `json:"name"`
	// Key is the key name within the secret or configmap from which to read the CA bundle.
	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
	// certificate bundle.
	// +kubebuilder:validation:MinLength=1
	Key string `json:"key"`
}

CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.

func (*CertificateAuthorityDataSourceSpec) DeepCopy 

func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.

func (*CertificateAuthorityDataSourceSpec) DeepCopyInto 

func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAPIConfig 

type GitHubAPIConfig struct {
	// Host is required only for GitHub Enterprise Server.
	// Defaults to using GitHub's public API ("github.com").
	// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
	// Do not specify a protocol or scheme since "https://" will always be used.
	// Port is optional. Do not specify a path, query, fragment, or userinfo.
	// Only specify domain name or IP address, subdomains (optional), and port (optional).
	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
	// in square brackets. Example: "[::1]:443".
	//
	// +kubebuilder:default="github.com"
	// +kubebuilder:validation:MinLength=1
	// +optional
	Host *string `json:"host"`

	// TLS configuration for GitHub Enterprise Server.
	// Note that this field should not be needed when using GitHub's public API ("github.com").
	// However, if you choose to specify this field when using GitHub's public API, you must
	// specify a CA bundle that will verify connections to "api.github.com".
	//
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`
}

GitHubAPIConfig allows configuration for GitHub Enterprise Server

func (*GitHubAPIConfig) DeepCopy 

func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.

func (*GitHubAPIConfig) DeepCopyInto 

func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAllowAuthenticationSpec 

type GitHubAllowAuthenticationSpec struct {
	// Organizations allows customization of which organizations can authenticate using this IDP.
	// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
	// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
	Organizations GitHubOrganizationsSpec `json:"organizations"`
}

GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.

func (*GitHubAllowAuthenticationSpec) DeepCopy 

func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.

func (*GitHubAllowAuthenticationSpec) DeepCopyInto 

func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAllowedAuthOrganizationsPolicy 

type GitHubAllowedAuthOrganizationsPolicy string
const (
	// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
	// provider, regardless of their organization membership or lack thereof.
	GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"

	// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
	// the listed GitHub organizations are allowed to log in.
	GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)

type GitHubClaims 

type GitHubClaims struct {
	// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
	//
	// Can be either "id", "login", or "login:id". Defaults to "login:id".
	//
	// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
	// and may not start or end with hyphens. GitHub users are allowed to change their login name,
	// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
	// then a second user might change their name from "baz" to "foo" in order to take the old
	// username of the first user. For this reason, it is not as safe to make authorization decisions
	// based only on the user's login attribute.
	//
	// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
	// FederationDomain to further customize how these usernames are presented to Kubernetes.
	//
	// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
	// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
	// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
	// choice to concatenate the two values.
	//
	// See the response schema for
	// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
	//
	// +kubebuilder:default="login:id"
	// +kubebuilder:validation:Enum={"id","login","login:id"}
	// +optional
	Username *GitHubUsernameAttribute `json:"username"`

	// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
	//
	// Can be either "name" or "slug". Defaults to "slug".
	//
	// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
	//
	// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
	//
	// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
	// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
	// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
	// the team name or slug.
	//
	// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
	// FederationDomain to further customize how these group names are presented to Kubernetes.
	//
	// See the response schema for
	// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
	//
	// +kubebuilder:default=slug
	// +kubebuilder:validation:Enum=name;slug
	// +optional
	Groups *GitHubGroupNameAttribute `json:"groups"`
}

GitHubClaims allows customization of the username and groups claims.

func (*GitHubClaims) DeepCopy 

func (in *GitHubClaims) DeepCopy() *GitHubClaims

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.

func (*GitHubClaims) DeepCopyInto 

func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubClientSpec 

type GitHubClientSpec struct {
	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
	// clientSecret for an GitHub App or GitHub OAuth2 client.
	//
	// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
	//
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.

func (*GitHubClientSpec) DeepCopy 

func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.

func (*GitHubClientSpec) DeepCopyInto 

func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubGroupNameAttribute 

type GitHubGroupNameAttribute string

GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). 

const (
	// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
	GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"

	// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
	GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)

type GitHubIdentityProvider 

type GitHubIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec GitHubIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}

GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.

+genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*GitHubIdentityProvider) DeepCopy 

func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.

func (*GitHubIdentityProvider) DeepCopyInto 

func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GitHubIdentityProvider) DeepCopyObject 

func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GitHubIdentityProviderList 

type GitHubIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []GitHubIdentityProvider `json:"items"`
}

GitHubIdentityProviderList lists GitHubIdentityProvider objects.

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*GitHubIdentityProviderList) DeepCopy 

func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.

func (*GitHubIdentityProviderList) DeepCopyInto 

func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GitHubIdentityProviderList) DeepCopyObject 

func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GitHubIdentityProviderPhase 

type GitHubIdentityProviderPhase string
const (
	// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
	GitHubPhasePending GitHubIdentityProviderPhase = "Pending"

	// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
	GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"

	// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
	GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)

type GitHubIdentityProviderSpec 

type GitHubIdentityProviderSpec struct {
	// GitHubAPI allows configuration for GitHub Enterprise Server
	//
	// +kubebuilder:default={}
	GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`

	// Claims allows customization of the username and groups claims.
	//
	// +kubebuilder:default={}
	Claims GitHubClaims `json:"claims,omitempty"`

	// AllowAuthentication allows customization of who can authenticate using this IDP and how.
	AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`

	// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
	Client GitHubClientSpec `json:"client"`
}

GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.

func (*GitHubIdentityProviderSpec) DeepCopy 

func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.

func (*GitHubIdentityProviderSpec) DeepCopyInto 

func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubIdentityProviderStatus 

type GitHubIdentityProviderStatus struct {
	// Phase summarizes the overall status of the GitHubIdentityProvider.
	//
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`

	// Conditions represents the observations of an identity provider's current state.
	//
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

GitHubIdentityProviderStatus is the status of an GitHub identity provider.

func (*GitHubIdentityProviderStatus) DeepCopy 

func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.

func (*GitHubIdentityProviderStatus) DeepCopyInto 

func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubOrganizationsSpec 

type GitHubOrganizationsSpec struct {
	// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
	// Defaults to "OnlyUsersFromAllowedOrganizations".
	//
	// Must be set to "AllGitHubUsers" if the allowed field is empty.
	//
	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
	// allowedOrganizations means all GitHub users are allowed to log in.
	//
	// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
	// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
	// +optional
	Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`

	// Allowed, when specified, indicates that only users with membership in at least one of the listed
	// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
	// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
	// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
	//
	// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
	// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
	// within that organization.
	//
	// If no organizations are listed, you must set organizations: AllGitHubUsers.
	//
	// +kubebuilder:validation:MaxItems=64
	// +listType=set
	// +optional
	Allowed []string `json:"allowed,omitempty"`
}

func (*GitHubOrganizationsSpec) DeepCopy 

func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.

func (*GitHubOrganizationsSpec) DeepCopyInto 

func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubUsernameAttribute 

type GitHubUsernameAttribute string

GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). 

const (
	// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
	GitHubUsernameID GitHubUsernameAttribute = "id"

	// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
	GitHubUsernameLogin GitHubUsernameAttribute = "login"

	// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
	// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
	GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)

type LDAPIdentityProvider 

type LDAPIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec LDAPIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
}

LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*LDAPIdentityProvider) DeepCopy 

func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.

func (*LDAPIdentityProvider) DeepCopyInto 

func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*LDAPIdentityProvider) DeepCopyObject 

func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type LDAPIdentityProviderBind 

type LDAPIdentityProviderBind struct {
	// SecretName contains the name of a namespace-local Secret object that provides the username and
	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
	// The password must be non-empty.
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

func (*LDAPIdentityProviderBind) DeepCopy 

func (in *LDAPIdentityProviderBind) DeepCopy() *LDAPIdentityProviderBind

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.

func (*LDAPIdentityProviderBind) DeepCopyInto 

func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderGroupSearch 

type LDAPIdentityProviderGroupSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
	// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
	// value of an attribute of the user entry found as a result of the user search. Which attribute's
	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
	// For more information about LDAP filters, see https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
	// +optional
	Filter string `json:"filter,omitempty"`

	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
	// For example, specifying "uid" as the UserAttributeForFilter while specifying
	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
	// +optional
	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`

	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
	// the result of the group search.
	// +optional
	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`

	// The user's group membership is refreshed as they interact with the supervisor
	// to obtain new credentials (as their old credentials expire).  This allows group
	// membership changes to be quickly reflected into Kubernetes clusters.  Since
	// group membership is often used to bind authorization policies, it is important
	// to keep the groups observed in Kubernetes clusters in-sync with the identity
	// provider.
	//
	// In some environments, frequent group membership queries may result in a
	// significant performance impact on the identity provider and/or the supervisor.
	// The best approach to handle performance impacts is to tweak the group query
	// to be more performant, for example by disabling nested group search or by
	// using a more targeted group search base.
	//
	// If the group search query cannot be made performant and you are willing to
	// have group memberships remain static for approximately a day, then set
	// skipGroupRefresh to true.  This is an insecure configuration as authorization
	// policies that are bound to group membership will not notice if a user has
	// been removed from a particular group until their next login.
	//
	// This is an experimental feature that may be removed or significantly altered
	// in the future.  Consumers of this configuration should carefully read all
	// release notes before upgrading to ensure that the meaning of this field has
	// not changed.
	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}

func (*LDAPIdentityProviderGroupSearch) DeepCopy 

func (in *LDAPIdentityProviderGroupSearch) DeepCopy() *LDAPIdentityProviderGroupSearch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.

func (*LDAPIdentityProviderGroupSearch) DeepCopyInto 

func (in *LDAPIdentityProviderGroupSearch) DeepCopyInto(out *LDAPIdentityProviderGroupSearch)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderGroupSearchAttributes 

type LDAPIdentityProviderGroupSearchAttributes struct {
	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
	// in the user's list of groups after a successful authentication.
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
	// +optional
	GroupName string `json:"groupName,omitempty"`
}

func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopy 

func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopy() *LDAPIdentityProviderGroupSearchAttributes

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.

func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto 

func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderGroupSearchAttributes)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderList 

type LDAPIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []LDAPIdentityProvider `json:"items"`
}

List of LDAPIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*LDAPIdentityProviderList) DeepCopy 

func (in *LDAPIdentityProviderList) DeepCopy() *LDAPIdentityProviderList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.

func (*LDAPIdentityProviderList) DeepCopyInto 

func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*LDAPIdentityProviderList) DeepCopyObject 

func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type LDAPIdentityProviderPhase 

type LDAPIdentityProviderPhase string
const (
	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"

	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"

	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
)

type LDAPIdentityProviderSpec 

type LDAPIdentityProviderSpec struct {
	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
	// +kubebuilder:validation:MinLength=1
	Host string `json:"host"`

	// TLS contains the connection settings for how to establish the connection to the Host.
	TLS *TLSSpec `json:"tls,omitempty"`

	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`

	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`

	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}

Spec for configuring an LDAP identity provider.

func (*LDAPIdentityProviderSpec) DeepCopy 

func (in *LDAPIdentityProviderSpec) DeepCopy() *LDAPIdentityProviderSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.

func (*LDAPIdentityProviderSpec) DeepCopyInto 

func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderStatus 

type LDAPIdentityProviderStatus struct {
	// Phase summarizes the overall status of the LDAPIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

Status of an LDAP identity provider.

func (*LDAPIdentityProviderStatus) DeepCopy 

func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.

func (*LDAPIdentityProviderStatus) DeepCopyInto 

func (in *LDAPIdentityProviderStatus) DeepCopyInto(out *LDAPIdentityProviderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderUserSearch 

type LDAPIdentityProviderUserSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
	// E.g. "ou=users,dc=example,dc=com".
	// +kubebuilder:validation:MinLength=1
	Base string `json:"base,omitempty"`

	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
	// https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the Filter were specified as the value from
	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
	// explicitly specified, since the default value of "dn={}" would not work.
	// +optional
	Filter string `json:"filter,omitempty"`

	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
	// the result of the user search.
	// +optional
	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}

func (*LDAPIdentityProviderUserSearch) DeepCopy 

func (in *LDAPIdentityProviderUserSearch) DeepCopy() *LDAPIdentityProviderUserSearch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.

func (*LDAPIdentityProviderUserSearch) DeepCopyInto 

func (in *LDAPIdentityProviderUserSearch) DeepCopyInto(out *LDAPIdentityProviderUserSearch)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderUserSearchAttributes 

type LDAPIdentityProviderUserSearchAttributes struct {
	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
	// of the user after a successful authentication. This would typically be the same attribute name used in
	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
	// value of "dn={}" would not work.
	// +kubebuilder:validation:MinLength=1
	Username string `json:"username,omitempty"`

	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
	// +kubebuilder:validation:MinLength=1
	UID string `json:"uid,omitempty"`
}

func (*LDAPIdentityProviderUserSearchAttributes) DeepCopy 

func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopy() *LDAPIdentityProviderUserSearchAttributes

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.

func (*LDAPIdentityProviderUserSearchAttributes) DeepCopyInto 

func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributes)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthorizationConfig 

type OIDCAuthorizationConfig struct {
	// additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
	// always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
	// the following scopes: "openid", "offline_access", "email", and "profile". See
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
	// scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
	// "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
	// or as common patterns used by providers who implement the standard in the ecosystem evolve.
	// By setting this list to anything other than an empty list, you are overriding the
	// default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
	// If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
	// Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
	// may wish to include it in this list. Sometimes the scope to request the user's group membership is called
	// "groups", but unfortunately this is not specified in the OIDC standard.
	// Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
	// your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
	// the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
	// your OIDC provider's documentation for more information about what scopes are available to request claims.
	// Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
	// from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
	// "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
	// requirements for what to include in the request in order to receive a refresh token in the response, if anything.
	// Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
	// may ignore scopes that it does not understand or require (see
	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
	// "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
	// provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
	// +optional
	AdditionalScopes []string `json:"additionalScopes,omitempty"`

	// additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
	// included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
	// The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
	// should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
	// ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
	// This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
	// Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
	// Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
	// parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
	// authorization endpoint for its requirements for what to include in the request in order to receive a refresh
	// token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
	// then include it here. Also note that most providers also require a certain scope to be requested in order to
	// receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
	// refresh tokens.
	// +optional
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	AdditionalAuthorizeParameters []Parameter `json:"additionalAuthorizeParameters,omitempty"`

	// allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
	// allowPasswordGrant defaults to false.
	// +optional
	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
}

OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.

func (*OIDCAuthorizationConfig) DeepCopy 

func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.

func (*OIDCAuthorizationConfig) DeepCopyInto 

func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCClaims 

type OIDCClaims struct {
	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
	// this setting is not configured.
	// +optional
	Groups string `json:"groups"`

	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
	// the ID token.
	// +optional
	Username string `json:"username"`

	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
	// +optional
	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
}

OIDCClaims provides a mapping from upstream claims into identities.

func (*OIDCClaims) DeepCopy 

func (in *OIDCClaims) DeepCopy() *OIDCClaims

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.

func (*OIDCClaims) DeepCopyInto 

func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCClient 

type OIDCClient struct {
	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
	// "clientID" and "clientSecret".
	SecretName string `json:"secretName"`
}

OIDCClient contains information about an OIDC client (e.g., client ID and client secret).

func (*OIDCClient) DeepCopy 

func (in *OIDCClient) DeepCopy() *OIDCClient

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.

func (*OIDCClient) DeepCopyInto 

func (in *OIDCClient) DeepCopyInto(out *OIDCClient)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCIdentityProvider 

type OIDCIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec OIDCIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
}

OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*OIDCIdentityProvider) DeepCopy 

func (in *OIDCIdentityProvider) DeepCopy() *OIDCIdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProvider.

func (*OIDCIdentityProvider) DeepCopyInto 

func (in *OIDCIdentityProvider) DeepCopyInto(out *OIDCIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OIDCIdentityProvider) DeepCopyObject 

func (in *OIDCIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OIDCIdentityProviderList 

type OIDCIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []OIDCIdentityProvider `json:"items"`
}

OIDCIdentityProviderList lists OIDCIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*OIDCIdentityProviderList) DeepCopy 

func (in *OIDCIdentityProviderList) DeepCopy() *OIDCIdentityProviderList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderList.

func (*OIDCIdentityProviderList) DeepCopyInto 

func (in *OIDCIdentityProviderList) DeepCopyInto(out *OIDCIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OIDCIdentityProviderList) DeepCopyObject 

func (in *OIDCIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OIDCIdentityProviderPhase 

type OIDCIdentityProviderPhase string
const (
	// PhasePending is the default phase for newly-created OIDCIdentityProvider resources.
	PhasePending OIDCIdentityProviderPhase = "Pending"

	// PhaseReady is the phase for an OIDCIdentityProvider resource in a healthy state.
	PhaseReady OIDCIdentityProviderPhase = "Ready"

	// PhaseError is the phase for an OIDCIdentityProvider in an unhealthy state.
	PhaseError OIDCIdentityProviderPhase = "Error"
)

type OIDCIdentityProviderSpec 

type OIDCIdentityProviderSpec struct {
	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
	// /.well-known/openid-configuration.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://`
	Issuer string `json:"issuer"`

	// TLS configuration for discovery/JWKS requests to the issuer.
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`

	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
	// parameters to be used with this OIDC identity provider.
	// +optional
	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig,omitempty"`

	// Claims provides the names of token claims that will be used when inspecting an identity from
	// this OIDC identity provider.
	// +optional
	Claims OIDCClaims `json:"claims"`

	// OIDCClient contains OIDC client information to be used used with this OIDC identity
	// provider.
	Client OIDCClient `json:"client"`
}

OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.

func (*OIDCIdentityProviderSpec) DeepCopy 

func (in *OIDCIdentityProviderSpec) DeepCopy() *OIDCIdentityProviderSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderSpec.

func (*OIDCIdentityProviderSpec) DeepCopyInto 

func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCIdentityProviderStatus 

type OIDCIdentityProviderStatus struct {
	// Phase summarizes the overall status of the OIDCIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase OIDCIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

OIDCIdentityProviderStatus is the status of an OIDC identity provider.

func (*OIDCIdentityProviderStatus) DeepCopy 

func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderStatus.

func (*OIDCIdentityProviderStatus) DeepCopyInto 

func (in *OIDCIdentityProviderStatus) DeepCopyInto(out *OIDCIdentityProviderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Parameter 

type Parameter struct {
	// The name of the parameter. Required.
	// +kubebuilder:validation:MinLength=1
	Name string `json:"name"`

	// The value of the parameter.
	// +optional
	Value string `json:"value,omitempty"`
}

Parameter is a key/value pair which represents a parameter in an HTTP request.

func (*Parameter) DeepCopy 

func (in *Parameter) DeepCopy() *Parameter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.

func (*Parameter) DeepCopyInto 

func (in *Parameter) DeepCopyInto(out *Parameter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TLSSpec 

type TLSSpec struct {
	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
	// +optional
	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
	// Reference to a CA bundle in a secret or a configmap.
	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
	// +optional
	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

TLSSpec provides TLS configuration for identity provider integration.

func (*TLSSpec) DeepCopy 

func (in *TLSSpec) DeepCopy() *TLSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.

func (*TLSSpec) DeepCopyInto 

func (in *TLSSpec) DeepCopyInto(out *TLSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.