v1alpha1

package
v0.31.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 5, 2024 License: Apache-2.0 Imports: 3 Imported by: 3

Documentation

Overview

Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.

Index

Constants

View Source
const GroupName = "idp.supervisor.pinniped.dev"

Variables

View Source
var (
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects.

Functions

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource.

Types

type ActiveDirectoryIdentityProvider added in v0.11.0

type ActiveDirectoryIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
}

ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*ActiveDirectoryIdentityProvider) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.

func (*ActiveDirectoryIdentityProvider) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ActiveDirectoryIdentityProvider) DeepCopyObject added in v0.11.0

func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ActiveDirectoryIdentityProviderBind added in v0.11.0

type ActiveDirectoryIdentityProviderBind struct {
	// SecretName contains the name of a namespace-local Secret object that provides the username and
	// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
	// The password must be non-empty.
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

func (*ActiveDirectoryIdentityProviderBind) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.

func (*ActiveDirectoryIdentityProviderBind) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderGroupSearch added in v0.11.0

type ActiveDirectoryIdentityProviderGroupSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
	// "ou=groups,dc=example,dc=com".
	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
	// The default behavior searches your entire domain for groups.
	// It may make sense to specify a subtree as a search base if you wish to exclude some groups
	// for security reasons or to make searches faster.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
	// value of an attribute of the user entry found as a result of the user search. Which attribute's
	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
	// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
	// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the filter were specified as
	// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
	// This searches nested groups by default.
	// Note that nested group search can be slow for some Active Directory servers. To disable it,
	// you can set the filter to
	// "(&(objectClass=group)(member={})"
	// +optional
	Filter string `json:"filter,omitempty"`

	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
	// For example, specifying "uid" as the UserAttributeForFilter while specifying
	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
	// +optional
	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`

	// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
	// the result of the group search.
	// +optional
	Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`

	// The user's group membership is refreshed as they interact with the supervisor
	// to obtain new credentials (as their old credentials expire).  This allows group
	// membership changes to be quickly reflected into Kubernetes clusters.  Since
	// group membership is often used to bind authorization policies, it is important
	// to keep the groups observed in Kubernetes clusters in-sync with the identity
	// provider.
	//
	// In some environments, frequent group membership queries may result in a
	// significant performance impact on the identity provider and/or the supervisor.
	// The best approach to handle performance impacts is to tweak the group query
	// to be more performant, for example by disabling nested group search or by
	// using a more targeted group search base.
	//
	// If the group search query cannot be made performant and you are willing to
	// have group memberships remain static for approximately a day, then set
	// skipGroupRefresh to true.  This is an insecure configuration as authorization
	// policies that are bound to group membership will not notice if a user has
	// been removed from a particular group until their next login.
	//
	// This is an experimental feature that may be removed or significantly altered
	// in the future.  Consumers of this configuration should carefully read all
	// release notes before upgrading to ensure that the meaning of this field has
	// not changed.
	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}

func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.

func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderGroupSearchAttributes added in v0.11.0

type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
	// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
	// in the user's list of groups after a successful authentication.
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
	// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
	// where domain is constructed from the domain components of the group DN.
	// +optional
	GroupName string `json:"groupName,omitempty"`
}

func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.

func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderList added in v0.11.0

type ActiveDirectoryIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []ActiveDirectoryIdentityProvider `json:"items"`
}

List of ActiveDirectoryIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ActiveDirectoryIdentityProviderList) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.

func (*ActiveDirectoryIdentityProviderList) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ActiveDirectoryIdentityProviderList) DeepCopyObject added in v0.11.0

func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ActiveDirectoryIdentityProviderPhase added in v0.11.0

type ActiveDirectoryIdentityProviderPhase string
const (
	// ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources.
	ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending"

	// ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state.
	ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready"

	// ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state.
	ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error"
)

type ActiveDirectoryIdentityProviderSpec added in v0.11.0

type ActiveDirectoryIdentityProviderSpec struct {
	// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
	// +kubebuilder:validation:MinLength=1
	Host string `json:"host"`

	// TLS contains the connection settings for how to establish the connection to the Host.
	TLS *TLSSpec `json:"tls,omitempty"`

	// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
	Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`

	// UserSearch contains the configuration for searching for a user by name in Active Directory.
	UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`

	// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
	GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}

Spec for configuring an ActiveDirectory identity provider.

func (*ActiveDirectoryIdentityProviderSpec) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.

func (*ActiveDirectoryIdentityProviderSpec) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderStatus added in v0.11.0

type ActiveDirectoryIdentityProviderStatus struct {
	// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

Status of an Active Directory identity provider.

func (*ActiveDirectoryIdentityProviderStatus) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.

func (*ActiveDirectoryIdentityProviderStatus) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderUserSearch added in v0.11.0

type ActiveDirectoryIdentityProviderUserSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
	// E.g. "ou=users,dc=example,dc=com".
	// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
	// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
	// The default behavior searches your entire domain for users.
	// It may make sense to specify a subtree as a search base if you wish to exclude some users
	// or to make searches faster.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
	// https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will be
	// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
	// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
	// and is not shown in advanced view only
	// (which would likely mean its a system created service account with advanced permissions).
	// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
	// +optional
	Filter string `json:"filter,omitempty"`

	// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
	// the result of the user search.
	// +optional
	Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}

func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.

func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ActiveDirectoryIdentityProviderUserSearchAttributes added in v0.11.0

type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
	// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
	// of the user after a successful authentication.
	// Optional, when empty this defaults to "userPrincipalName".
	// +optional
	Username string `json:"username,omitempty"`

	// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
	// identify the user within this ActiveDirectory provider after a successful authentication.
	// Optional, when empty this defaults to "objectGUID".
	// +optional
	UID string `json:"uid,omitempty"`
}

func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy added in v0.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.

func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto added in v0.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAPIConfig added in v0.31.0

type GitHubAPIConfig struct {
	// Host is required only for GitHub Enterprise Server.
	// Defaults to using GitHub's public API ("github.com").
	// Do not specify a protocol or scheme since "https://" will always be used.
	// Port is optional. Do not specify a path, query, fragment, or userinfo.
	// Only domain name or IP address, subdomains (optional), and port (optional).
	// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
	// in square brackets. Example: "[::1]:443".
	//
	// +kubebuilder:default="github.com"
	// +kubebuilder:validation:MinLength=1
	// +optional
	Host *string `json:"host"`

	// TLS configuration for GitHub Enterprise Server.
	//
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`
}

GitHubAPIConfig allows configuration for GitHub Enterprise Server

func (*GitHubAPIConfig) DeepCopy added in v0.31.0

func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.

func (*GitHubAPIConfig) DeepCopyInto added in v0.31.0

func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAllowAuthenticationSpec added in v0.31.0

type GitHubAllowAuthenticationSpec struct {
	// Organizations allows customization of which organizations can authenticate using this IDP.
	// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
	// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
	Organizations GitHubOrganizationsSpec `json:"organizations"`
}

GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.

func (*GitHubAllowAuthenticationSpec) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.

func (*GitHubAllowAuthenticationSpec) DeepCopyInto added in v0.31.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubAllowedAuthOrganizationsPolicy added in v0.31.0

type GitHubAllowedAuthOrganizationsPolicy string
const (
	// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
	// provider, regardless of their organization membership or lack thereof.
	GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"

	// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
	// the listed GitHub organizations are allowed to log in.
	GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)

type GitHubClaims added in v0.31.0

type GitHubClaims struct {
	// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
	//
	// Can be either "id", "login", or "login:id". Defaults to "login:id".
	//
	// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
	// and may not start or end with hyphens. GitHub users are allowed to change their login name,
	// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
	// then a second user might change their name from "baz" to "foo" in order to take the old
	// username of the first user. For this reason, it is not as safe to make authorization decisions
	// based only on the user's login attribute.
	//
	// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
	// FederationDomain to further customize how these usernames are presented to Kubernetes.
	//
	// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
	// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
	// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
	// choice to concatenate the two values.
	//
	// See the response schema for
	// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
	//
	// +kubebuilder:default="login:id"
	// +kubebuilder:validation:Enum={"id","login","login:id"}
	// +optional
	Username *GitHubUsernameAttribute `json:"username"`

	// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
	//
	// Can be either "name" or "slug". Defaults to "slug".
	//
	// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
	//
	// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
	//
	// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
	// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
	// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
	// the team name or slug.
	//
	// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
	// FederationDomain to further customize how these group names are presented to Kubernetes.
	//
	// See the response schema for
	// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
	//
	// +kubebuilder:default=slug
	// +kubebuilder:validation:Enum=name;slug
	// +optional
	Groups *GitHubGroupNameAttribute `json:"groups"`
}

GitHubClaims allows customization of the username and groups claims.

func (*GitHubClaims) DeepCopy added in v0.31.0

func (in *GitHubClaims) DeepCopy() *GitHubClaims

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.

func (*GitHubClaims) DeepCopyInto added in v0.31.0

func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubClientSpec added in v0.31.0

type GitHubClientSpec struct {
	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
	// clientSecret for an GitHub App or GitHub OAuth2 client.
	//
	// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
	//
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.

func (*GitHubClientSpec) DeepCopy added in v0.31.0

func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.

func (*GitHubClientSpec) DeepCopyInto added in v0.31.0

func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubGroupNameAttribute added in v0.31.0

type GitHubGroupNameAttribute string

GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).

const (
	// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
	GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"

	// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
	GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)

type GitHubIdentityProvider added in v0.31.0

type GitHubIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec GitHubIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}

GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.

Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.

+genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*GitHubIdentityProvider) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.

func (*GitHubIdentityProvider) DeepCopyInto added in v0.31.0

func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GitHubIdentityProvider) DeepCopyObject added in v0.31.0

func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GitHubIdentityProviderList added in v0.31.0

type GitHubIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []GitHubIdentityProvider `json:"items"`
}

GitHubIdentityProviderList lists GitHubIdentityProvider objects.

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*GitHubIdentityProviderList) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.

func (*GitHubIdentityProviderList) DeepCopyInto added in v0.31.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GitHubIdentityProviderList) DeepCopyObject added in v0.31.0

func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GitHubIdentityProviderPhase added in v0.31.0

type GitHubIdentityProviderPhase string
const (
	// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
	GitHubPhasePending GitHubIdentityProviderPhase = "Pending"

	// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
	GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"

	// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
	GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)

type GitHubIdentityProviderSpec added in v0.31.0

type GitHubIdentityProviderSpec struct {
	// GitHubAPI allows configuration for GitHub Enterprise Server
	//
	// +kubebuilder:default={}
	GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`

	// Claims allows customization of the username and groups claims.
	//
	// +kubebuilder:default={}
	Claims GitHubClaims `json:"claims,omitempty"`

	// AllowAuthentication allows customization of who can authenticate using this IDP and how.
	AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`

	// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
	Client GitHubClientSpec `json:"client"`
}

GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.

func (*GitHubIdentityProviderSpec) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.

func (*GitHubIdentityProviderSpec) DeepCopyInto added in v0.31.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubIdentityProviderStatus added in v0.31.0

type GitHubIdentityProviderStatus struct {
	// Phase summarizes the overall status of the GitHubIdentityProvider.
	//
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`

	// Conditions represents the observations of an identity provider's current state.
	//
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

GitHubIdentityProviderStatus is the status of an GitHub identity provider.

func (*GitHubIdentityProviderStatus) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.

func (*GitHubIdentityProviderStatus) DeepCopyInto added in v0.31.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubOrganizationsSpec added in v0.31.0

type GitHubOrganizationsSpec struct {
	// Policy must be set to "AllGitHubUsers" if allowed is empty.
	//
	// This field only exists to ensure that Pinniped administrators are aware that an empty list of
	// allowedOrganizations means all GitHub users are allowed to log in.
	//
	// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
	// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
	// +optional
	Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`

	// Allowed, when specified, indicates that only users with membership in at least one of the listed
	// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
	// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
	// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
	//
	// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
	// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
	// within that organization.
	//
	// If no organizations are listed, you must set organizations: AllGitHubUsers.
	//
	// +kubebuilder:validation:MaxItems=64
	// +listType=set
	// +optional
	Allowed []string `json:"allowed,omitempty"`
}

func (*GitHubOrganizationsSpec) DeepCopy added in v0.31.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.

func (*GitHubOrganizationsSpec) DeepCopyInto added in v0.31.0

func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GitHubUsernameAttribute added in v0.31.0

type GitHubUsernameAttribute string

GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).

const (
	// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
	GitHubUsernameID GitHubUsernameAttribute = "id"

	// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
	GitHubUsernameLogin GitHubUsernameAttribute = "login"

	// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
	// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
	GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)

type LDAPIdentityProvider added in v0.9.0

type LDAPIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec LDAPIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status LDAPIdentityProviderStatus `json:"status,omitempty"`
}

LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*LDAPIdentityProvider) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.

func (*LDAPIdentityProvider) DeepCopyInto added in v0.9.0

func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*LDAPIdentityProvider) DeepCopyObject added in v0.9.0

func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type LDAPIdentityProviderBind added in v0.9.0

type LDAPIdentityProviderBind struct {
	// SecretName contains the name of a namespace-local Secret object that provides the username and
	// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
	// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
	// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
	// The password must be non-empty.
	// +kubebuilder:validation:MinLength=1
	SecretName string `json:"secretName"`
}

func (*LDAPIdentityProviderBind) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.

func (*LDAPIdentityProviderBind) DeepCopyInto added in v0.9.0

func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderGroupSearch added in v0.9.0

type LDAPIdentityProviderGroupSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
	// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
	// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
	// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
	// +optional
	Base string `json:"base,omitempty"`

	// Filter is the LDAP search filter which should be applied when searching for groups for a user.
	// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
	// value of an attribute of the user entry found as a result of the user search. Which attribute's
	// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
	// For more information about LDAP filters, see https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
	// +optional
	Filter string `json:"filter,omitempty"`

	// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
	// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
	// For example, specifying "uid" as the UserAttributeForFilter while specifying
	// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
	// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
	// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
	// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
	// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
	// +optional
	UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`

	// Attributes specifies how the group's information should be read from each LDAP entry which was found as
	// the result of the group search.
	// +optional
	Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`

	// The user's group membership is refreshed as they interact with the supervisor
	// to obtain new credentials (as their old credentials expire).  This allows group
	// membership changes to be quickly reflected into Kubernetes clusters.  Since
	// group membership is often used to bind authorization policies, it is important
	// to keep the groups observed in Kubernetes clusters in-sync with the identity
	// provider.
	//
	// In some environments, frequent group membership queries may result in a
	// significant performance impact on the identity provider and/or the supervisor.
	// The best approach to handle performance impacts is to tweak the group query
	// to be more performant, for example by disabling nested group search or by
	// using a more targeted group search base.
	//
	// If the group search query cannot be made performant and you are willing to
	// have group memberships remain static for approximately a day, then set
	// skipGroupRefresh to true.  This is an insecure configuration as authorization
	// policies that are bound to group membership will not notice if a user has
	// been removed from a particular group until their next login.
	//
	// This is an experimental feature that may be removed or significantly altered
	// in the future.  Consumers of this configuration should carefully read all
	// release notes before upgrading to ensure that the meaning of this field has
	// not changed.
	SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}

func (*LDAPIdentityProviderGroupSearch) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.

func (*LDAPIdentityProviderGroupSearch) DeepCopyInto added in v0.9.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderGroupSearchAttributes added in v0.9.0

type LDAPIdentityProviderGroupSearchAttributes struct {
	// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
	// in the user's list of groups after a successful authentication.
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
	// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
	// +optional
	GroupName string `json:"groupName,omitempty"`
}

func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.

func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto added in v0.9.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderList added in v0.9.0

type LDAPIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []LDAPIdentityProvider `json:"items"`
}

List of LDAPIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*LDAPIdentityProviderList) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.

func (*LDAPIdentityProviderList) DeepCopyInto added in v0.9.0

func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*LDAPIdentityProviderList) DeepCopyObject added in v0.9.0

func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type LDAPIdentityProviderPhase added in v0.9.0

type LDAPIdentityProviderPhase string
const (
	// LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources.
	LDAPPhasePending LDAPIdentityProviderPhase = "Pending"

	// LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state.
	LDAPPhaseReady LDAPIdentityProviderPhase = "Ready"

	// LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state.
	LDAPPhaseError LDAPIdentityProviderPhase = "Error"
)

type LDAPIdentityProviderSpec added in v0.9.0

type LDAPIdentityProviderSpec struct {
	// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
	// +kubebuilder:validation:MinLength=1
	Host string `json:"host"`

	// TLS contains the connection settings for how to establish the connection to the Host.
	TLS *TLSSpec `json:"tls,omitempty"`

	// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
	// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
	Bind LDAPIdentityProviderBind `json:"bind,omitempty"`

	// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
	UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`

	// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
	GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}

Spec for configuring an LDAP identity provider.

func (*LDAPIdentityProviderSpec) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.

func (*LDAPIdentityProviderSpec) DeepCopyInto added in v0.9.0

func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderStatus added in v0.9.0

type LDAPIdentityProviderStatus struct {
	// Phase summarizes the overall status of the LDAPIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

Status of an LDAP identity provider.

func (*LDAPIdentityProviderStatus) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.

func (*LDAPIdentityProviderStatus) DeepCopyInto added in v0.9.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderUserSearch added in v0.9.0

type LDAPIdentityProviderUserSearch struct {
	// Base is the dn (distinguished name) that should be used as the search base when searching for users.
	// E.g. "ou=users,dc=example,dc=com".
	// +kubebuilder:validation:MinLength=1
	Base string `json:"base,omitempty"`

	// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
	// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
	// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
	// https://ldap.com/ldap-filters.
	// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
	// Optional. When not specified, the default will act as if the Filter were specified as the value from
	// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
	// explicitly specified, since the default value of "dn={}" would not work.
	// +optional
	Filter string `json:"filter,omitempty"`

	// Attributes specifies how the user's information should be read from the LDAP entry which was found as
	// the result of the user search.
	// +optional
	Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}

func (*LDAPIdentityProviderUserSearch) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.

func (*LDAPIdentityProviderUserSearch) DeepCopyInto added in v0.9.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LDAPIdentityProviderUserSearchAttributes added in v0.9.0

type LDAPIdentityProviderUserSearchAttributes struct {
	// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
	// of the user after a successful authentication. This would typically be the same attribute name used in
	// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
	// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
	// value of "dn={}" would not work.
	// +kubebuilder:validation:MinLength=1
	Username string `json:"username,omitempty"`

	// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
	// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
	// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
	// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
	// +kubebuilder:validation:MinLength=1
	UID string `json:"uid,omitempty"`
}

func (*LDAPIdentityProviderUserSearchAttributes) DeepCopy added in v0.9.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.

func (*LDAPIdentityProviderUserSearchAttributes) DeepCopyInto added in v0.9.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthorizationConfig

type OIDCAuthorizationConfig struct {
	// additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
	// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
	// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
	// always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
	// the following scopes: "openid", "offline_access", "email", and "profile". See
	// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
	// scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
	// "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
	// or as common patterns used by providers who implement the standard in the ecosystem evolve.
	// By setting this list to anything other than an empty list, you are overriding the
	// default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
	// If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
	// Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
	// may wish to include it in this list. Sometimes the scope to request the user's group membership is called
	// "groups", but unfortunately this is not specified in the OIDC standard.
	// Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
	// your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
	// the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
	// your OIDC provider's documentation for more information about what scopes are available to request claims.
	// Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
	// from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
	// "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
	// requirements for what to include in the request in order to receive a refresh token in the response, if anything.
	// Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
	// may ignore scopes that it does not understand or require (see
	// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
	// "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
	// provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
	// +optional
	AdditionalScopes []string `json:"additionalScopes,omitempty"`

	// additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
	// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
	// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
	// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
	// included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
	// The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
	// should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
	// ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
	// This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
	// Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
	// Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
	// parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
	// authorization endpoint for its requirements for what to include in the request in order to receive a refresh
	// token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
	// then include it here. Also note that most providers also require a certain scope to be requested in order to
	// receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
	// refresh tokens.
	// +optional
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	AdditionalAuthorizeParameters []Parameter `json:"additionalAuthorizeParameters,omitempty"`

	// allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
	// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
	// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
	// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
	// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
	// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
	// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
	// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
	// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
	// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
	// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
	// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
	// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
	// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
	// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
	// allowPasswordGrant defaults to false.
	// +optional
	AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
}

OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.

func (*OIDCAuthorizationConfig) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.

func (*OIDCAuthorizationConfig) DeepCopyInto

func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCClaims

type OIDCClaims struct {
	// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
	// the groups to which an identity belongs. By default, the identities will not include any group memberships when
	// this setting is not configured.
	// +optional
	Groups string `json:"groups"`

	// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
	// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
	// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
	// the ID token.
	// +optional
	Username string `json:"username"`

	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
	// +optional
	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
}

OIDCClaims provides a mapping from upstream claims into identities.

func (*OIDCClaims) DeepCopy

func (in *OIDCClaims) DeepCopy() *OIDCClaims

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.

func (*OIDCClaims) DeepCopyInto

func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCClient

type OIDCClient struct {
	// SecretName contains the name of a namespace-local Secret object that provides the clientID and
	// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
	// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
	// "clientID" and "clientSecret".
	SecretName string `json:"secretName"`
}

OIDCClient contains information about an OIDC client (e.g., client ID and client secret).

func (*OIDCClient) DeepCopy

func (in *OIDCClient) DeepCopy() *OIDCClient

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.

func (*OIDCClient) DeepCopyInto

func (in *OIDCClient) DeepCopyInto(out *OIDCClient)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCIdentityProvider

type OIDCIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec for configuring the identity provider.
	Spec OIDCIdentityProviderSpec `json:"spec"`

	// Status of the identity provider.
	Status OIDCIdentityProviderStatus `json:"status,omitempty"`
}

OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status

func (*OIDCIdentityProvider) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProvider.

func (*OIDCIdentityProvider) DeepCopyInto

func (in *OIDCIdentityProvider) DeepCopyInto(out *OIDCIdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OIDCIdentityProvider) DeepCopyObject

func (in *OIDCIdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OIDCIdentityProviderList

type OIDCIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []OIDCIdentityProvider `json:"items"`
}

OIDCIdentityProviderList lists OIDCIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*OIDCIdentityProviderList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderList.

func (*OIDCIdentityProviderList) DeepCopyInto

func (in *OIDCIdentityProviderList) DeepCopyInto(out *OIDCIdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OIDCIdentityProviderList) DeepCopyObject

func (in *OIDCIdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OIDCIdentityProviderPhase

type OIDCIdentityProviderPhase string
const (
	// PhasePending is the default phase for newly-created OIDCIdentityProvider resources.
	PhasePending OIDCIdentityProviderPhase = "Pending"

	// PhaseReady is the phase for an OIDCIdentityProvider resource in a healthy state.
	PhaseReady OIDCIdentityProviderPhase = "Ready"

	// PhaseError is the phase for an OIDCIdentityProvider in an unhealthy state.
	PhaseError OIDCIdentityProviderPhase = "Error"
)

type OIDCIdentityProviderSpec

type OIDCIdentityProviderSpec struct {
	// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
	// /.well-known/openid-configuration.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^https://`
	Issuer string `json:"issuer"`

	// TLS configuration for discovery/JWKS requests to the issuer.
	// +optional
	TLS *TLSSpec `json:"tls,omitempty"`

	// AuthorizationConfig holds information about how to form the OAuth2 authorization request
	// parameters to be used with this OIDC identity provider.
	// +optional
	AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig,omitempty"`

	// Claims provides the names of token claims that will be used when inspecting an identity from
	// this OIDC identity provider.
	// +optional
	Claims OIDCClaims `json:"claims"`

	// OIDCClient contains OIDC client information to be used used with this OIDC identity
	// provider.
	Client OIDCClient `json:"client"`
}

OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.

func (*OIDCIdentityProviderSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderSpec.

func (*OIDCIdentityProviderSpec) DeepCopyInto

func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCIdentityProviderStatus

type OIDCIdentityProviderStatus struct {
	// Phase summarizes the overall status of the OIDCIdentityProvider.
	// +kubebuilder:default=Pending
	// +kubebuilder:validation:Enum=Pending;Ready;Error
	Phase OIDCIdentityProviderPhase `json:"phase,omitempty"`

	// Represents the observations of an identity provider's current state.
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}

OIDCIdentityProviderStatus is the status of an OIDC identity provider.

func (*OIDCIdentityProviderStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderStatus.

func (*OIDCIdentityProviderStatus) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Parameter added in v0.13.0

type Parameter struct {
	// The name of the parameter. Required.
	// +kubebuilder:validation:MinLength=1
	Name string `json:"name"`

	// The value of the parameter.
	// +optional
	Value string `json:"value,omitempty"`
}

Parameter is a key/value pair which represents a parameter in an HTTP request.

func (*Parameter) DeepCopy added in v0.13.0

func (in *Parameter) DeepCopy() *Parameter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.

func (*Parameter) DeepCopyInto added in v0.13.0

func (in *Parameter) DeepCopyInto(out *Parameter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TLSSpec

type TLSSpec struct {
	// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
	// +optional
	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}

TLSSpec provides TLS configuration for identity provider integration.

func (*TLSSpec) DeepCopy

func (in *TLSSpec) DeepCopy() *TLSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.

func (*TLSSpec) DeepCopyInto

func (in *TLSSpec) DeepCopyInto(out *TLSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL