Documentation ¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type CredentialIssuer
- type CredentialIssuerFrontend
- type CredentialIssuerKubeConfigInfo
- type CredentialIssuerList
- type CredentialIssuerSpec
- type CredentialIssuerStatus
- type CredentialIssuerStrategy
- type FrontendType
- type ImpersonationProxyInfo
- type ImpersonationProxyMode
- type ImpersonationProxyServiceSpec
- type ImpersonationProxyServiceType
- type ImpersonationProxySpec
- type ImpersonationProxyTLSSpec
- type StrategyReason
- type StrategyStatus
- type StrategyType
- type TokenCredentialRequestAPIInfo
Constants ¶
const ( KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate") ImpersonationProxyStrategyType = StrategyType("ImpersonationProxy") TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI") ImpersonationProxyFrontendType = FrontendType("ImpersonationProxy") SuccessStrategyStatus = StrategyStatus("Success") ErrorStrategyStatus = StrategyStatus("Error") ListeningStrategyReason = StrategyReason("Listening") PendingStrategyReason = StrategyReason("Pending") DisabledStrategyReason = StrategyReason("Disabled") ErrorDuringSetupStrategyReason = StrategyReason("ErrorDuringSetup") CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey") CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo") FetchedKeyStrategyReason = StrategyReason("FetchedKey") )
const ( // ImpersonationProxyModeDisabled explicitly disables the impersonation proxy. ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled") // ImpersonationProxyModeEnabled explicitly enables the impersonation proxy. ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled") // ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running. ImpersonationProxyModeAuto = ImpersonationProxyMode("auto") )
const ( // ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer. ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer") // ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP. ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP") // ImpersonationProxyServiceTypeNone does not automatically provision any service. ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") )
const GroupName = "config.concierge.pinniped.dev"
Variables ¶
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type CredentialIssuer ¶
type CredentialIssuer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec describes the intended configuration of the Concierge. // // +optional Spec CredentialIssuerSpec `json:"spec"` // CredentialIssuerStatus describes the status of the Concierge. // // +optional Status CredentialIssuerStatus `json:"status"` }
CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped,scope=Cluster +kubebuilder:printcolumn:name="ProxyMode",type=string,JSONPath=`.spec.impersonationProxy.mode` +kubebuilder:printcolumn:name="DefaultStrategy",type=string,JSONPath=`.status.strategies[?(@.status == "Success")].type` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*CredentialIssuer) DeepCopy ¶
func (in *CredentialIssuer) DeepCopy() *CredentialIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.
func (*CredentialIssuer) DeepCopyInto ¶
func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CredentialIssuer) DeepCopyObject ¶
func (in *CredentialIssuer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CredentialIssuerFrontend ¶
type CredentialIssuerFrontend struct { // Type describes which frontend mechanism clients can use with a strategy. Type FrontendType `json:"type"` // TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. // This field is only set when Type is "TokenCredentialRequestAPI". TokenCredentialRequestAPIInfo *TokenCredentialRequestAPIInfo `json:"tokenCredentialRequestInfo,omitempty"` // ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. // This field is only set when Type is "ImpersonationProxy". ImpersonationProxyInfo *ImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"` }
CredentialIssuerFrontend describes how to connect using a particular integration strategy.
func (*CredentialIssuerFrontend) DeepCopy ¶
func (in *CredentialIssuerFrontend) DeepCopy() *CredentialIssuerFrontend
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerFrontend.
func (*CredentialIssuerFrontend) DeepCopyInto ¶
func (in *CredentialIssuerFrontend) DeepCopyInto(out *CredentialIssuerFrontend)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CredentialIssuerKubeConfigInfo ¶
type CredentialIssuerKubeConfigInfo struct { // The K8s API server URL. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://|^http://` Server string `json:"server"` // The K8s API server CA bundle. // +kubebuilder:validation:MinLength=1 CertificateAuthorityData string `json:"certificateAuthorityData"` }
CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This type is deprecated and will be removed in a future version.
func (*CredentialIssuerKubeConfigInfo) DeepCopy ¶
func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
func (*CredentialIssuerKubeConfigInfo) DeepCopyInto ¶
func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CredentialIssuerList ¶
type CredentialIssuerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []CredentialIssuer `json:"items"` }
CredentialIssuerList is a list of CredentialIssuer objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*CredentialIssuerList) DeepCopy ¶
func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.
func (*CredentialIssuerList) DeepCopyInto ¶
func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CredentialIssuerList) DeepCopyObject ¶
func (in *CredentialIssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CredentialIssuerSpec ¶
type CredentialIssuerSpec struct { // ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"` }
CredentialIssuerSpec describes the intended configuration of the Concierge.
func (*CredentialIssuerSpec) DeepCopy ¶
func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.
func (*CredentialIssuerSpec) DeepCopyInto ¶
func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CredentialIssuerStatus ¶
type CredentialIssuerStatus struct { // List of integration strategies that were attempted by Pinniped. Strategies []CredentialIssuerStrategy `json:"strategies"` // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. // This field is deprecated and will be removed in a future version. // +optional KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"` }
CredentialIssuerStatus describes the status of the Concierge.
func (*CredentialIssuerStatus) DeepCopy ¶
func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.
func (*CredentialIssuerStatus) DeepCopyInto ¶
func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CredentialIssuerStrategy ¶
type CredentialIssuerStrategy struct { // Type of integration attempted. Type StrategyType `json:"type"` // Status of the attempted integration strategy. Status StrategyStatus `json:"status"` // Reason for the current status. Reason StrategyReason `json:"reason"` // Human-readable description of the current status. // +kubebuilder:validation:MinLength=1 Message string `json:"message"` // When the status was last checked. LastUpdateTime metav1.Time `json:"lastUpdateTime"` // Frontend describes how clients can connect using this strategy. Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"` }
CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.
func (*CredentialIssuerStrategy) DeepCopy ¶
func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.
func (*CredentialIssuerStrategy) DeepCopyInto ¶
func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FrontendType ¶
type FrontendType string
FrontendType enumerates a type of "frontend" used to provide access to users of a cluster. +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy
type ImpersonationProxyInfo ¶
type ImpersonationProxyInfo struct { // Endpoint is the HTTPS endpoint of the impersonation proxy. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://` Endpoint string `json:"endpoint"` // CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. // +kubebuilder:validation:MinLength=1 CertificateAuthorityData string `json:"certificateAuthorityData"` }
ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
func (*ImpersonationProxyInfo) DeepCopy ¶
func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyInfo.
func (*ImpersonationProxyInfo) DeepCopyInto ¶
func (in *ImpersonationProxyInfo) DeepCopyInto(out *ImpersonationProxyInfo)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ImpersonationProxyMode ¶
type ImpersonationProxyMode string
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy. Allowed values are "auto", "enabled", or "disabled".
+kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyServiceSpec ¶
type ImpersonationProxyServiceSpec struct { // Type specifies the type of Service to provision for the impersonation proxy. // // If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty // value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. // // +kubebuilder:default:="LoadBalancer" Type ImpersonationProxyServiceType `json:"type,omitempty"` // LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. // This is not supported on all cloud providers. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=255 // +optional LoadBalancerIP string `json:"loadBalancerIP,omitempty"` // Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. // // +optional Annotations map[string]string `json:"annotations,omitempty"` }
ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.
func (*ImpersonationProxyServiceSpec) DeepCopy ¶
func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.
func (*ImpersonationProxyServiceSpec) DeepCopyInto ¶
func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ImpersonationProxyServiceType ¶
type ImpersonationProxyServiceType string
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy. Allowed values are "LoadBalancer", "ClusterIP", or "None".
+kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxySpec ¶
type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: // - "disabled" explicitly disables the impersonation proxy. This is the default. // - "enabled" explicitly enables the impersonation proxy. // - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. Mode ImpersonationProxyMode `json:"mode"` // Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. // // +kubebuilder:default:={"type": "LoadBalancer"} Service ImpersonationProxyServiceSpec `json:"service"` // ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will // be served using the external name of the LoadBalancer service or the cluster service DNS name. // // This field must be non-empty when spec.impersonationProxy.service.type is "None". // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` // TLS contains information about how the Concierge impersonation proxy should serve TLS. // // If this field is empty, the impersonation proxy will generate its own TLS certificate. // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` }
ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
func (*ImpersonationProxySpec) DeepCopy ¶
func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.
func (*ImpersonationProxySpec) DeepCopyInto ¶
func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ImpersonationProxyTLSSpec ¶
type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. // // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains // the TLS serving certificate for the Concierge impersonation proxy endpoint. // // +kubebuilder:validation:MinLength=1 SecretName string `json:"secretName,omitempty"` }
ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.
If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.
If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.
func (*ImpersonationProxyTLSSpec) DeepCopy ¶
func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.
func (*ImpersonationProxyTLSSpec) DeepCopyInto ¶
func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type StrategyReason ¶
type StrategyReason string
StrategyReason enumerates the detailed reason why a strategy is in a particular status. +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey
type StrategyStatus ¶
type StrategyStatus string
StrategyStatus enumerates whether a strategy is working on a cluster. +kubebuilder:validation:Enum=Success;Error
type StrategyType ¶
type StrategyType string
StrategyType enumerates a type of "strategy" used to implement credential access on a cluster. +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy
type TokenCredentialRequestAPIInfo ¶
type TokenCredentialRequestAPIInfo struct { // Server is the Kubernetes API server URL. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://|^http://` Server string `json:"server"` // CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. // +kubebuilder:validation:MinLength=1 CertificateAuthorityData string `json:"certificateAuthorityData"` }
TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
func (*TokenCredentialRequestAPIInfo) DeepCopy ¶
func (in *TokenCredentialRequestAPIInfo) DeepCopy() *TokenCredentialRequestAPIInfo
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestAPIInfo.
func (*TokenCredentialRequestAPIInfo) DeepCopyInto ¶
func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.