v1alpha1

package
v0.35.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 5, 2024 License: Apache-2.0 Imports: 3 Imported by: 2

Documentation

Overview

Package v1alpha1 is the v1alpha1 version of the Pinniped concierge configuration API.

Index

Constants

View Source 
const (
	KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate")
	ImpersonationProxyStrategyType            = StrategyType("ImpersonationProxy")

	TokenCredentialRequestAPIFrontendType = FrontendType("TokenCredentialRequestAPI")
	ImpersonationProxyFrontendType        = FrontendType("ImpersonationProxy")

	SuccessStrategyStatus = StrategyStatus("Success")
	ErrorStrategyStatus   = StrategyStatus("Error")

	ListeningStrategyReason              = StrategyReason("Listening")
	PendingStrategyReason                = StrategyReason("Pending")
	DisabledStrategyReason               = StrategyReason("Disabled")
	ErrorDuringSetupStrategyReason       = StrategyReason("ErrorDuringSetup")
	CouldNotFetchKeyStrategyReason       = StrategyReason("CouldNotFetchKey")
	CouldNotGetClusterInfoStrategyReason = StrategyReason("CouldNotGetClusterInfo")
	FetchedKeyStrategyReason             = StrategyReason("FetchedKey")
)
View Source 
const (
	// ImpersonationProxyModeDisabled explicitly disables the impersonation proxy.
	ImpersonationProxyModeDisabled = ImpersonationProxyMode("disabled")

	// ImpersonationProxyModeEnabled explicitly enables the impersonation proxy.
	ImpersonationProxyModeEnabled = ImpersonationProxyMode("enabled")

	// ImpersonationProxyModeAuto enables or disables the impersonation proxy based upon the cluster in which it is running.
	ImpersonationProxyModeAuto = ImpersonationProxyMode("auto")
)
View Source 
const (
	// ImpersonationProxyServiceTypeLoadBalancer provisions a service of type LoadBalancer.
	ImpersonationProxyServiceTypeLoadBalancer = ImpersonationProxyServiceType("LoadBalancer")

	// ImpersonationProxyServiceTypeClusterIP provisions a service of type ClusterIP.
	ImpersonationProxyServiceTypeClusterIP = ImpersonationProxyServiceType("ClusterIP")

	// ImpersonationProxyServiceTypeNone does not automatically provision any service.
	ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
)
View Source 
const GroupName = "config.concierge.pinniped.dev"

Variables

View Source 
var (
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects.

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource.

Types

type CredentialIssuer 

type CredentialIssuer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec describes the intended configuration of the Concierge.
	//
	// +optional
	Spec CredentialIssuerSpec `json:"spec"`

	// CredentialIssuerStatus describes the status of the Concierge.
	//
	// +optional
	Status CredentialIssuerStatus `json:"status"`
}

CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped,scope=Cluster +kubebuilder:printcolumn:name="ProxyMode",type=string,JSONPath=`.spec.impersonationProxy.mode` +kubebuilder:printcolumn:name="DefaultStrategy",type=string,JSONPath=`.status.strategies[?(@.status == "Success")].type` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*CredentialIssuer) DeepCopy 

func (in *CredentialIssuer) DeepCopy() *CredentialIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuer.

func (*CredentialIssuer) DeepCopyInto 

func (in *CredentialIssuer) DeepCopyInto(out *CredentialIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CredentialIssuer) DeepCopyObject 

func (in *CredentialIssuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CredentialIssuerFrontend 

type CredentialIssuerFrontend struct {
	// Type describes which frontend mechanism clients can use with a strategy.
	Type FrontendType `json:"type"`

	// TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
	// This field is only set when Type is "TokenCredentialRequestAPI".
	TokenCredentialRequestAPIInfo *TokenCredentialRequestAPIInfo `json:"tokenCredentialRequestInfo,omitempty"`

	// ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
	// This field is only set when Type is "ImpersonationProxy".
	ImpersonationProxyInfo *ImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"`
}

CredentialIssuerFrontend describes how to connect using a particular integration strategy.

func (*CredentialIssuerFrontend) DeepCopy 

func (in *CredentialIssuerFrontend) DeepCopy() *CredentialIssuerFrontend

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerFrontend.

func (*CredentialIssuerFrontend) DeepCopyInto 

func (in *CredentialIssuerFrontend) DeepCopyInto(out *CredentialIssuerFrontend)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CredentialIssuerKubeConfigInfo 

type CredentialIssuerKubeConfigInfo struct {
	// The K8s API server URL.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://|^http://`
	Server string `json:"server"`

	// The K8s API server CA bundle.
	// +kubebuilder:validation:MinLength=1
	CertificateAuthorityData string `json:"certificateAuthorityData"`
}

CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This type is deprecated and will be removed in a future version.

func (*CredentialIssuerKubeConfigInfo) DeepCopy 

func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.

func (*CredentialIssuerKubeConfigInfo) DeepCopyInto 

func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CredentialIssuerList 

type CredentialIssuerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []CredentialIssuer `json:"items"`
}

CredentialIssuerList is a list of CredentialIssuer objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*CredentialIssuerList) DeepCopy 

func (in *CredentialIssuerList) DeepCopy() *CredentialIssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerList.

func (*CredentialIssuerList) DeepCopyInto 

func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CredentialIssuerList) DeepCopyObject 

func (in *CredentialIssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CredentialIssuerSpec added in v0.9.0 

type CredentialIssuerSpec struct {
	// ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.
	ImpersonationProxy *ImpersonationProxySpec `json:"impersonationProxy"`
}

CredentialIssuerSpec describes the intended configuration of the Concierge.

func (*CredentialIssuerSpec) DeepCopy added in v0.9.0 

func (in *CredentialIssuerSpec) DeepCopy() *CredentialIssuerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerSpec.

func (*CredentialIssuerSpec) DeepCopyInto added in v0.9.0 

func (in *CredentialIssuerSpec) DeepCopyInto(out *CredentialIssuerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CredentialIssuerStatus 

type CredentialIssuerStatus struct {
	// List of integration strategies that were attempted by Pinniped.
	Strategies []CredentialIssuerStrategy `json:"strategies"`

	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
	// This field is deprecated and will be removed in a future version.
	// +optional
	KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
}

CredentialIssuerStatus describes the status of the Concierge.

func (*CredentialIssuerStatus) DeepCopy 

func (in *CredentialIssuerStatus) DeepCopy() *CredentialIssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStatus.

func (*CredentialIssuerStatus) DeepCopyInto 

func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CredentialIssuerStrategy 

type CredentialIssuerStrategy struct {
	// Type of integration attempted.
	Type StrategyType `json:"type"`

	// Status of the attempted integration strategy.
	Status StrategyStatus `json:"status"`

	// Reason for the current status.
	Reason StrategyReason `json:"reason"`

	// Human-readable description of the current status.
	// +kubebuilder:validation:MinLength=1
	Message string `json:"message"`

	// When the status was last checked.
	LastUpdateTime metav1.Time `json:"lastUpdateTime"`

	// Frontend describes how clients can connect using this strategy.
	Frontend *CredentialIssuerFrontend `json:"frontend,omitempty"`
}

CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.

func (*CredentialIssuerStrategy) DeepCopy 

func (in *CredentialIssuerStrategy) DeepCopy() *CredentialIssuerStrategy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerStrategy.

func (*CredentialIssuerStrategy) DeepCopyInto 

func (in *CredentialIssuerStrategy) DeepCopyInto(out *CredentialIssuerStrategy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FrontendType 

type FrontendType string

FrontendType enumerates a type of "frontend" used to provide access to users of a cluster. +kubebuilder:validation:Enum=TokenCredentialRequestAPI;ImpersonationProxy

type ImpersonationProxyInfo 

type ImpersonationProxyInfo struct {
	// Endpoint is the HTTPS endpoint of the impersonation proxy.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://`
	Endpoint string `json:"endpoint"`

	// CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy.
	// +kubebuilder:validation:MinLength=1
	CertificateAuthorityData string `json:"certificateAuthorityData"`
}

ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.

func (*ImpersonationProxyInfo) DeepCopy 

func (in *ImpersonationProxyInfo) DeepCopy() *ImpersonationProxyInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyInfo.

func (*ImpersonationProxyInfo) DeepCopyInto 

func (in *ImpersonationProxyInfo) DeepCopyInto(out *ImpersonationProxyInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImpersonationProxyMode added in v0.9.0 

type ImpersonationProxyMode string

ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy. Allowed values are "auto", "enabled", or "disabled".

+kubebuilder:validation:Enum=auto;enabled;disabled

type ImpersonationProxyServiceSpec added in v0.9.0 

type ImpersonationProxyServiceSpec struct {
	// Type specifies the type of Service to provision for the impersonation proxy.
	//
	// If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
	// value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
	//
	// +kubebuilder:default:="LoadBalancer"
	Type ImpersonationProxyServiceType `json:"type,omitempty"`

	// LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
	// This is not supported on all cloud providers.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=255
	// +optional
	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`

	// Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.
	//
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
}

ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

func (*ImpersonationProxyServiceSpec) DeepCopy added in v0.9.0 

func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyServiceSpec.

func (*ImpersonationProxyServiceSpec) DeepCopyInto added in v0.9.0 

func (in *ImpersonationProxyServiceSpec) DeepCopyInto(out *ImpersonationProxyServiceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImpersonationProxyServiceType added in v0.9.0 

type ImpersonationProxyServiceType string

ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy. Allowed values are "LoadBalancer", "ClusterIP", or "None".

+kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None

type ImpersonationProxySpec added in v0.9.0 

type ImpersonationProxySpec struct {
	// Mode configures whether the impersonation proxy should be started:
	// - "disabled" explicitly disables the impersonation proxy. This is the default.
	// - "enabled" explicitly enables the impersonation proxy.
	// - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
	Mode ImpersonationProxyMode `json:"mode"`

	// Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.
	//
	// +kubebuilder:default:={"type": "LoadBalancer"}
	Service ImpersonationProxyServiceSpec `json:"service"`

	// ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
	// be served using the external name of the LoadBalancer service or the cluster service DNS name.
	//
	// This field must be non-empty when spec.impersonationProxy.service.type is "None".
	//
	// +optional
	ExternalEndpoint string `json:"externalEndpoint,omitempty"`

	// TLS contains information about how the Concierge impersonation proxy should serve TLS.
	//
	// If this field is empty, the impersonation proxy will generate its own TLS certificate.
	//
	// +optional
	TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
}

ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.

func (*ImpersonationProxySpec) DeepCopy added in v0.9.0 

func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxySpec.

func (*ImpersonationProxySpec) DeepCopyInto added in v0.9.0 

func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImpersonationProxyTLSSpec added in v0.25.0 

type ImpersonationProxyTLSSpec struct {
	// X.509 Certificate Authority (base64-encoded PEM bundle).
	// Used to advertise the CA bundle for the impersonation proxy endpoint.
	//
	// +optional
	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`

	// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
	// the TLS serving certificate for the Concierge impersonation proxy endpoint.
	//
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName,omitempty"`
}

ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS.

If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData.

If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint.

func (*ImpersonationProxyTLSSpec) DeepCopy added in v0.25.0 

func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec.

func (*ImpersonationProxyTLSSpec) DeepCopyInto added in v0.25.0 

func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type StrategyReason 

type StrategyReason string

StrategyReason enumerates the detailed reason why a strategy is in a particular status. +kubebuilder:validation:Enum=Listening;Pending;Disabled;ErrorDuringSetup;CouldNotFetchKey;CouldNotGetClusterInfo;FetchedKey

type StrategyStatus 

type StrategyStatus string

StrategyStatus enumerates whether a strategy is working on a cluster. +kubebuilder:validation:Enum=Success;Error

type StrategyType 

type StrategyType string

StrategyType enumerates a type of "strategy" used to implement credential access on a cluster. +kubebuilder:validation:Enum=KubeClusterSigningCertificate;ImpersonationProxy

type TokenCredentialRequestAPIInfo 

type TokenCredentialRequestAPIInfo struct {
	// Server is the Kubernetes API server URL.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://|^http://`
	Server string `json:"server"`

	// CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle.
	// +kubebuilder:validation:MinLength=1
	CertificateAuthorityData string `json:"certificateAuthorityData"`
}

TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.

func (*TokenCredentialRequestAPIInfo) DeepCopy 

func (in *TokenCredentialRequestAPIInfo) DeepCopy() *TokenCredentialRequestAPIInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenCredentialRequestAPIInfo.

func (*TokenCredentialRequestAPIInfo) DeepCopyInto 

func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.