v1alpha1

package
v0.0.0-...-acbe9ce Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2024 License: Apache-2.0 Imports: 3 Imported by: 7

Documentation

Overview

Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authentication API.

Index

Constants

View Source
const (
	// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
	CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")

	// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
	// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
	CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
View Source
const GroupName = "authentication.concierge.pinniped.dev"

Variables

View Source
var (
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects.

Functions

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource.

Types

type CertificateAuthorityDataSourceKind

type CertificateAuthorityDataSourceKind string

CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.

+kubebuilder:validation:Enum=Secret;ConfigMap

type CertificateAuthorityDataSourceSpec

type CertificateAuthorityDataSourceSpec struct {
	// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
	// Allowed values are "Secret" or "ConfigMap".
	// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
	// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
	Kind CertificateAuthorityDataSourceKind `json:"kind"`
	// Name is the resource name of the secret or configmap from which to read the CA bundle.
	// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
	// +kubebuilder:validation:MinLength=1
	Name string `json:"name"`
	// Key is the key name within the secret or configmap from which to read the CA bundle.
	// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
	// certificate bundle.
	// +kubebuilder:validation:MinLength=1
	Key string `json:"key"`
}

CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.

func (*CertificateAuthorityDataSourceSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.

func (*CertificateAuthorityDataSourceSpec) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTAuthenticator

type JWTAuthenticator struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the authenticator.
	Spec JWTAuthenticatorSpec `json:"spec"`

	// Status of the authenticator.
	Status JWTAuthenticatorStatus `json:"status,omitempty"`
}

JWTAuthenticator describes the configuration of a JWT authenticator.

Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token.

+genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*JWTAuthenticator) DeepCopy

func (in *JWTAuthenticator) DeepCopy() *JWTAuthenticator

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticator.

func (*JWTAuthenticator) DeepCopyInto

func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*JWTAuthenticator) DeepCopyObject

func (in *JWTAuthenticator) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type JWTAuthenticatorList

type JWTAuthenticatorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []JWTAuthenticator `json:"items"`
}

List of JWTAuthenticator objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*JWTAuthenticatorList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorList.

func (*JWTAuthenticatorList) DeepCopyInto

func (in *JWTAuthenticatorList) DeepCopyInto(out *JWTAuthenticatorList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*JWTAuthenticatorList) DeepCopyObject

func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type JWTAuthenticatorPhase

type JWTAuthenticatorPhase string
const (
	// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
	JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"

	// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
	JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"

	// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
	JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)

type JWTAuthenticatorSpec

type JWTAuthenticatorSpec struct {
	// Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
	// also used to validate the "iss" JWT claim.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://`
	Issuer string `json:"issuer"`

	// Audience is the required value of the "aud" JWT claim.
	// +kubebuilder:validation:MinLength=1
	Audience string `json:"audience"`

	// Claims allows customization of the claims that will be mapped to user identity
	// for Kubernetes access.
	// +optional
	Claims JWTTokenClaims `json:"claims"`

	// TLS configuration for communicating with the OIDC provider.
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`
}

Spec for configuring a JWT authenticator.

func (*JWTAuthenticatorSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorSpec.

func (*JWTAuthenticatorSpec) DeepCopyInto

func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTAuthenticatorStatus

type JWTAuthenticatorStatus struct {
	// Represents the observations of the authenticator's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
	// Phase summarizes the overall status of the JWTAuthenticator.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}

Status of a JWT authenticator.

func (*JWTAuthenticatorStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTAuthenticatorStatus.

func (*JWTAuthenticatorStatus) DeepCopyInto

func (in *JWTAuthenticatorStatus) DeepCopyInto(out *JWTAuthenticatorStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JWTTokenClaims

type JWTTokenClaims struct {
	// Groups is the name of the claim which should be read to extract the user's
	// group membership from the JWT token. When not specified, it will default to "groups".
	// +optional
	Groups string `json:"groups"`

	// Username is the name of the claim which should be read to extract the
	// username from the JWT token. When not specified, it will default to "username".
	// +optional
	Username string `json:"username"`
}

JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access.

func (*JWTTokenClaims) DeepCopy

func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.

func (*JWTTokenClaims) DeepCopyInto

func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TLSSpec

type TLSSpec struct {
	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
	// +optional
	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
	// Reference to a CA bundle in a secret or a configmap.
	// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
	// +optional
	CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

TLSSpec provides TLS configuration on various authenticators.

func (*TLSSpec) DeepCopy

func (in *TLSSpec) DeepCopy() *TLSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.

func (*TLSSpec) DeepCopyInto

func (in *TLSSpec) DeepCopyInto(out *TLSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookAuthenticator

type WebhookAuthenticator struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the authenticator.
	Spec WebhookAuthenticatorSpec `json:"spec"`

	// Status of the authenticator.
	Status WebhookAuthenticatorStatus `json:"status,omitempty"`
}

WebhookAuthenticator describes the configuration of a webhook authenticator. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*WebhookAuthenticator) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticator.

func (*WebhookAuthenticator) DeepCopyInto

func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*WebhookAuthenticator) DeepCopyObject

func (in *WebhookAuthenticator) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type WebhookAuthenticatorList

type WebhookAuthenticatorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []WebhookAuthenticator `json:"items"`
}

List of WebhookAuthenticator objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*WebhookAuthenticatorList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorList.

func (*WebhookAuthenticatorList) DeepCopyInto

func (in *WebhookAuthenticatorList) DeepCopyInto(out *WebhookAuthenticatorList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*WebhookAuthenticatorList) DeepCopyObject

func (in *WebhookAuthenticatorList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type WebhookAuthenticatorPhase

type WebhookAuthenticatorPhase string
const (
	// WebhookAuthenticatorPhasePending is the default phase for newly-created WebhookAuthenticator resources.
	WebhookAuthenticatorPhasePending WebhookAuthenticatorPhase = "Pending"

	// WebhookAuthenticatorPhaseReady is the phase for an WebhookAuthenticator resource in a healthy state.
	WebhookAuthenticatorPhaseReady WebhookAuthenticatorPhase = "Ready"

	// WebhookAuthenticatorPhaseError is the phase for an WebhookAuthenticator in an unhealthy state.
	WebhookAuthenticatorPhaseError WebhookAuthenticatorPhase = "Error"
)

type WebhookAuthenticatorSpec

type WebhookAuthenticatorSpec struct {
	// Webhook server endpoint URL.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://`
	Endpoint string `json:"endpoint"`

	// TLS configuration.
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`
}

Spec for configuring a webhook authenticator.

func (*WebhookAuthenticatorSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorSpec.

func (*WebhookAuthenticatorSpec) DeepCopyInto

func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookAuthenticatorStatus

type WebhookAuthenticatorStatus struct {
	// Represents the observations of the authenticator's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
	// Phase summarizes the overall status of the WebhookAuthenticator.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase WebhookAuthenticatorPhase `json:"phase,omitempty"`
}

Status of a webhook authenticator.

func (*WebhookAuthenticatorStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookAuthenticatorStatus.

func (*WebhookAuthenticatorStatus) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL