Documentation ¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type CertificateAuthorityDataSourceKind
- type CertificateAuthorityDataSourceSpec
- type JWTAuthenticator
- type JWTAuthenticatorList
- type JWTAuthenticatorPhase
- type JWTAuthenticatorSpec
- type JWTAuthenticatorStatus
- type JWTTokenClaims
- type TLSSpec
- type WebhookAuthenticator
- type WebhookAuthenticatorList
- type WebhookAuthenticatorPhase
- type WebhookAuthenticatorSpec
- type WebhookAuthenticatorStatus
Constants ¶
const ( // CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles. CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap") // CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles. // Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque. CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret") )
const GroupName = "authentication.concierge.pinniped.dev"
Variables ¶
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type CertificateAuthorityDataSourceKind ¶
type CertificateAuthorityDataSourceKind string
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
+kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceSpec ¶
type CertificateAuthorityDataSourceSpec struct { // Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. // Allowed values are "Secret" or "ConfigMap". // "ConfigMap" uses a Kubernetes configmap to source CA Bundles. // "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. Kind CertificateAuthorityDataSourceKind `json:"kind"` // Name is the resource name of the secret or configmap from which to read the CA bundle. // The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. // +kubebuilder:validation:MinLength=1 Name string `json:"name"` // Key is the key name within the secret or configmap from which to read the CA bundle. // The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded // certificate bundle. // +kubebuilder:validation:MinLength=1 Key string `json:"key"` }
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
func (*CertificateAuthorityDataSourceSpec) DeepCopy ¶
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (*CertificateAuthorityDataSourceSpec) DeepCopyInto ¶
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTAuthenticator ¶
type JWTAuthenticator struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec for configuring the authenticator. Spec JWTAuthenticatorSpec `json:"spec"` // Status of the authenticator. Status JWTAuthenticatorStatus `json:"status,omitempty"` }
JWTAuthenticator describes the configuration of a JWT authenticator.
Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token.
+genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*JWTAuthenticator) DeepCopy ¶
func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.
func (*JWTAuthenticator) DeepCopyInto ¶
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JWTAuthenticator) DeepCopyObject ¶
func (in *JWTAuthenticator) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type JWTAuthenticatorList ¶
type JWTAuthenticatorList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []JWTAuthenticator `json:"items"` }
List of JWTAuthenticator objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*JWTAuthenticatorList) DeepCopy ¶
func (in *JWTAuthenticatorList) DeepCopy() *JWTAuthenticatorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorList.
func (*JWTAuthenticatorList) DeepCopyInto ¶
func (in *JWTAuthenticatorList) DeepCopyInto(out *JWTAuthenticatorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*JWTAuthenticatorList) DeepCopyObject ¶
func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type JWTAuthenticatorPhase ¶
type JWTAuthenticatorPhase string
const ( // JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources. JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending" // JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state. JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready" // JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state. JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error" )
type JWTAuthenticatorSpec ¶
type JWTAuthenticatorSpec struct { // Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is // also used to validate the "iss" JWT claim. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://` Issuer string `json:"issuer"` // Audience is the required value of the "aud" JWT claim. // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` // Claims allows customization of the claims that will be mapped to user identity // for Kubernetes access. // +optional Claims JWTTokenClaims `json:"claims"` // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` }
Spec for configuring a JWT authenticator.
func (*JWTAuthenticatorSpec) DeepCopy ¶
func (in *JWTAuthenticatorSpec) DeepCopy() *JWTAuthenticatorSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorSpec.
func (*JWTAuthenticatorSpec) DeepCopyInto ¶
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTAuthenticatorStatus ¶
type JWTAuthenticatorStatus struct { // Represents the observations of the authenticator's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // Phase summarizes the overall status of the JWTAuthenticator. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase JWTAuthenticatorPhase `json:"phase,omitempty"` }
Status of a JWT authenticator.
func (*JWTAuthenticatorStatus) DeepCopy ¶
func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorStatus.
func (*JWTAuthenticatorStatus) DeepCopyInto ¶
func (in *JWTAuthenticatorStatus) DeepCopyInto(out *JWTAuthenticatorStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JWTTokenClaims ¶
type JWTTokenClaims struct { // Groups is the name of the claim which should be read to extract the user's // group membership from the JWT token. When not specified, it will default to "groups". // +optional Groups string `json:"groups"` // Username is the name of the claim which should be read to extract the // username from the JWT token. When not specified, it will default to "username". // +optional Username string `json:"username"` }
JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access.
func (*JWTTokenClaims) DeepCopy ¶
func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.
func (*JWTTokenClaims) DeepCopyInto ¶
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLSSpec ¶
type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` // Reference to a CA bundle in a secret or a configmap. // Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. // +optional CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"` }
TLSSpec provides TLS configuration on various authenticators.
func (*TLSSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
func (*TLSSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type WebhookAuthenticator ¶
type WebhookAuthenticator struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec for configuring the authenticator. Spec WebhookAuthenticatorSpec `json:"spec"` // Status of the authenticator. Status WebhookAuthenticatorStatus `json:"status,omitempty"` }
WebhookAuthenticator describes the configuration of a webhook authenticator. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*WebhookAuthenticator) DeepCopy ¶
func (in *WebhookAuthenticator) DeepCopy() *WebhookAuthenticator
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.
func (*WebhookAuthenticator) DeepCopyInto ¶
func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*WebhookAuthenticator) DeepCopyObject ¶
func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type WebhookAuthenticatorList ¶
type WebhookAuthenticatorList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []WebhookAuthenticator `json:"items"` }
List of WebhookAuthenticator objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*WebhookAuthenticatorList) DeepCopy ¶
func (in *WebhookAuthenticatorList) DeepCopy() *WebhookAuthenticatorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.
func (*WebhookAuthenticatorList) DeepCopyInto ¶
func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*WebhookAuthenticatorList) DeepCopyObject ¶
func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type WebhookAuthenticatorPhase ¶
type WebhookAuthenticatorPhase string
const ( // WebhookAuthenticatorPhasePending is the default phase for newly-created WebhookAuthenticator resources. WebhookAuthenticatorPhasePending WebhookAuthenticatorPhase = "Pending" // WebhookAuthenticatorPhaseReady is the phase for an WebhookAuthenticator resource in a healthy state. WebhookAuthenticatorPhaseReady WebhookAuthenticatorPhase = "Ready" // WebhookAuthenticatorPhaseError is the phase for an WebhookAuthenticator in an unhealthy state. WebhookAuthenticatorPhaseError WebhookAuthenticatorPhase = "Error" )
type WebhookAuthenticatorSpec ¶
type WebhookAuthenticatorSpec struct { // Webhook server endpoint URL. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://` Endpoint string `json:"endpoint"` // TLS configuration. // +optional TLS *TLSSpec `json:"tls,omitempty"` }
Spec for configuring a webhook authenticator.
func (*WebhookAuthenticatorSpec) DeepCopy ¶
func (in *WebhookAuthenticatorSpec) DeepCopy() *WebhookAuthenticatorSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.
func (*WebhookAuthenticatorSpec) DeepCopyInto ¶
func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type WebhookAuthenticatorStatus ¶
type WebhookAuthenticatorStatus struct { // Represents the observations of the authenticator's current state. // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` // Phase summarizes the overall status of the WebhookAuthenticator. // +kubebuilder:default=Pending // +kubebuilder:validation:Enum=Pending;Ready;Error Phase WebhookAuthenticatorPhase `json:"phase,omitempty"` }
Status of a webhook authenticator.
func (*WebhookAuthenticatorStatus) DeepCopy ¶
func (in *WebhookAuthenticatorStatus) DeepCopy() *WebhookAuthenticatorStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.
func (*WebhookAuthenticatorStatus) DeepCopyInto ¶
func (in *WebhookAuthenticatorStatus) DeepCopyInto(out *WebhookAuthenticatorStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.