Documentation
¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type Condition
- type ConditionStatus
- type FederationDomain
- type FederationDomainList
- type FederationDomainSecrets
- type FederationDomainSpec
- type FederationDomainStatus
- type FederationDomainStatusCondition
- type FederationDomainTLSSpec
- type GrantType
- type OIDCClient
- type OIDCClientList
- type OIDCClientPhase
- type OIDCClientSpec
- type OIDCClientStatus
- type RedirectURI
- type Scope
Constants ¶
const ( SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success") DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate") SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret") InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid") )
const GroupName = "config.supervisor.pinniped.dev"
Variables ¶
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type Condition ¶ added in v0.20.0
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}
Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
func (*Condition) DeepCopy ¶ added in v0.20.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶ added in v0.20.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionStatus ¶ added in v0.20.0
type ConditionStatus string
ConditionStatus is effectively an enum type for Condition.Status.
const ( ConditionTrue ConditionStatus = "True" ConditionFalse ConditionStatus = "False" ConditionUnknown ConditionStatus = "Unknown" )
These are valid condition statuses. "ConditionTrue" means a resource is in the condition. "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.
type FederationDomain ¶
type FederationDomain struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec of the OIDC provider.
Spec FederationDomainSpec `json:"spec"`
// Status of the OIDC provider.
Status FederationDomainStatus `json:"status,omitempty"`
}
FederationDomain describes the configuration of an OIDC provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*FederationDomain) DeepCopy ¶
func (in *FederationDomain) DeepCopy() *FederationDomain
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomain.
func (*FederationDomain) DeepCopyInto ¶
func (in *FederationDomain) DeepCopyInto(out *FederationDomain)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomain) DeepCopyObject ¶
func (in *FederationDomain) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainList ¶
type FederationDomainList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []FederationDomain `json:"items"`
}
List of FederationDomain objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*FederationDomainList) DeepCopy ¶
func (in *FederationDomainList) DeepCopy() *FederationDomainList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainList.
func (*FederationDomainList) DeepCopyInto ¶
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomainList) DeepCopyObject ¶
func (in *FederationDomainList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainSecrets ¶
type FederationDomainSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
FederationDomainSecrets holds information about this OIDC Provider's secrets.
func (*FederationDomainSecrets) DeepCopy ¶
func (in *FederationDomainSecrets) DeepCopy() *FederationDomainSecrets
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSecrets.
func (*FederationDomainSecrets) DeepCopyInto ¶
func (in *FederationDomainSecrets) DeepCopyInto(out *FederationDomainSecrets)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainSpec ¶
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
// https://example.com/foo, then your authorization endpoint will look like
// https://example.com/foo/some/path/to/auth/endpoint).
//
// See
// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
}
FederationDomainSpec is a struct that describes an OIDC Provider.
func (*FederationDomainSpec) DeepCopy ¶
func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSpec.
func (*FederationDomainSpec) DeepCopyInto ¶
func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainStatus ¶
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
Secrets FederationDomainSecrets `json:"secrets,omitempty"`
}
FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
func (*FederationDomainStatus) DeepCopy ¶
func (in *FederationDomainStatus) DeepCopy() *FederationDomainStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainStatus.
func (*FederationDomainStatus) DeepCopyInto ¶
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainStatusCondition ¶
type FederationDomainStatusCondition string
+kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainTLSSpec ¶
type FederationDomainTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
func (*FederationDomainTLSSpec) DeepCopy ¶
func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTLSSpec.
func (*FederationDomainTLSSpec) DeepCopyInto ¶
func (in *FederationDomainTLSSpec) DeepCopyInto(out *FederationDomainTLSSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GrantType ¶ added in v0.20.0
type GrantType string
+kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange"
type OIDCClient ¶ added in v0.20.0
type OIDCClient struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec of the OIDC client.
Spec OIDCClientSpec `json:"spec"`
// Status of the OIDC client.
Status OIDCClientStatus `json:"status,omitempty"`
}
OIDCClient describes the configuration of an OIDC client. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*OIDCClient) DeepCopy ¶ added in v0.20.0
func (in *OIDCClient) DeepCopy() *OIDCClient
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
func (*OIDCClient) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClient) DeepCopyInto(out *OIDCClient)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClient) DeepCopyObject ¶ added in v0.20.0
func (in *OIDCClient) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientList ¶ added in v0.20.0
type OIDCClientList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []OIDCClient `json:"items"`
}
List of OIDCClient objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*OIDCClientList) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopy() *OIDCClientList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList.
func (*OIDCClientList) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClientList) DeepCopyObject ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientPhase ¶ added in v0.20.0
type OIDCClientPhase string
const ( // PhasePending is the default phase for newly-created OIDCClient resources. PhasePending OIDCClientPhase = "Pending" // PhaseReady is the phase for an OIDCClient resource in a healthy state. PhaseReady OIDCClientPhase = "Ready" // PhaseError is the phase for an OIDCClient in an unhealthy state. PhaseError OIDCClientPhase = "Error" )
type OIDCClientSpec ¶ added in v0.20.0
type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected.
// Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
// Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"`
// allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
// client.
//
// Must only contain the following values:
// - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
// authenticate users. This grant must always be listed.
// - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
// This grant must be listed if allowedScopes lists offline_access.
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedGrantTypes []GrantType `json:"allowedGrantTypes"`
// allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
//
// Must only contain the following values:
// - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
// This scope must always be listed.
// - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
// This scope must be listed if allowedGrantTypes lists refresh_token.
// - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// openid, username and groups scopes must be listed when this scope is present.
// This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
// - username: The client is allowed to request that ID tokens contain the user's username.
// Without the username scope being requested and allowed, the ID token will not contain the user's username.
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedScopes []Scope `json:"allowedScopes"`
}
OIDCClientSpec is a struct that describes an OIDCClient.
func (*OIDCClientSpec) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec.
func (*OIDCClientSpec) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientStatus ¶ added in v0.20.0
type OIDCClientStatus struct {
// phase summarizes the overall status of the OIDCClient.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase OIDCClientPhase `json:"phase,omitempty"`
// conditions represent the observations of an OIDCClient's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.
// +optional
TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0
}
OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
func (*OIDCClientStatus) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus.
func (*OIDCClientStatus) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RedirectURI ¶ added in v0.20.0
type RedirectURI string
+kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
Source Files