Documentation
¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor configuration API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type FederationDomain
- type FederationDomainIdentityProvider
- type FederationDomainList
- type FederationDomainPhase
- type FederationDomainSecrets
- type FederationDomainSpec
- type FederationDomainStatus
- type FederationDomainTLSSpec
- type FederationDomainTransforms
- type FederationDomainTransformsConstant
- type FederationDomainTransformsExample
- type FederationDomainTransformsExampleExpects
- type FederationDomainTransformsExpression
- type GrantType
- type OIDCClient
- type OIDCClientList
- type OIDCClientPhase
- type OIDCClientSpec
- type OIDCClientStatus
- type OIDCClientTokenLifetimes
- type RedirectURI
- type Scope
Constants ¶
const GroupName = "config.supervisor.pinniped.dev"
Variables ¶
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type FederationDomain ¶
type FederationDomain struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec of the OIDC provider.
Spec FederationDomainSpec `json:"spec"`
// Status of the OIDC provider.
Status FederationDomainStatus `json:"status,omitempty"`
}
FederationDomain describes the configuration of an OIDC provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*FederationDomain) DeepCopy ¶
func (in *FederationDomain) DeepCopy() *FederationDomain
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomain.
func (*FederationDomain) DeepCopyInto ¶
func (in *FederationDomain) DeepCopyInto(out *FederationDomain)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomain) DeepCopyObject ¶
func (in *FederationDomain) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainIdentityProvider ¶ added in v0.26.0
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
func (*FederationDomainIdentityProvider) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainIdentityProvider) DeepCopy() *FederationDomainIdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainIdentityProvider.
func (*FederationDomainIdentityProvider) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainIdentityProvider) DeepCopyInto(out *FederationDomainIdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainList ¶
type FederationDomainList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []FederationDomain `json:"items"`
}
List of FederationDomain objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*FederationDomainList) DeepCopy ¶
func (in *FederationDomainList) DeepCopy() *FederationDomainList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainList.
func (*FederationDomainList) DeepCopyInto ¶
func (in *FederationDomainList) DeepCopyInto(out *FederationDomainList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FederationDomainList) DeepCopyObject ¶
func (in *FederationDomainList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FederationDomainPhase ¶ added in v0.26.0
type FederationDomainPhase string
const ( // FederationDomainPhasePending is the default phase for newly-created FederationDomain resources. FederationDomainPhasePending FederationDomainPhase = "Pending" // FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state. FederationDomainPhaseReady FederationDomainPhase = "Ready" // FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state. FederationDomainPhaseError FederationDomainPhase = "Error" )
type FederationDomainSecrets ¶
type FederationDomainSecrets struct {
// JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
// stored. If it is empty, then the signing/verification keys are either unknown or they don't
// exist.
// +optional
JWKS corev1.LocalObjectReference `json:"jwks,omitempty"`
// TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing tokens is stored.
// +optional
TokenSigningKey corev1.LocalObjectReference `json:"tokenSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// signing state parameters is stored.
// +optional
StateSigningKey corev1.LocalObjectReference `json:"stateSigningKey,omitempty"`
// StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
// encrypting state parameters is stored.
// +optional
StateEncryptionKey corev1.LocalObjectReference `json:"stateEncryptionKey,omitempty"`
}
FederationDomainSecrets holds information about this OIDC Provider's secrets.
func (*FederationDomainSecrets) DeepCopy ¶
func (in *FederationDomainSecrets) DeepCopy() *FederationDomainSecrets
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSecrets.
func (*FederationDomainSecrets) DeepCopyInto ¶
func (in *FederationDomainSecrets) DeepCopyInto(out *FederationDomainSecrets)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainSpec ¶
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
// identifier that it will use for the iss claim in issued JWTs. This field will also be used as
// the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
// https://example.com/foo, then your authorization endpoint will look like
// https://example.com/foo/some/path/to/auth/endpoint).
//
// See
// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
FederationDomainSpec is a struct that describes an OIDC Provider.
func (*FederationDomainSpec) DeepCopy ¶
func (in *FederationDomainSpec) DeepCopy() *FederationDomainSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainSpec.
func (*FederationDomainSpec) DeepCopyInto ¶
func (in *FederationDomainSpec) DeepCopyInto(out *FederationDomainSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainStatus ¶
type FederationDomainStatus struct {
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
Secrets FederationDomainSecrets `json:"secrets,omitempty"`
}
FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
func (*FederationDomainStatus) DeepCopy ¶
func (in *FederationDomainStatus) DeepCopy() *FederationDomainStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainStatus.
func (*FederationDomainStatus) DeepCopyInto ¶
func (in *FederationDomainStatus) DeepCopyInto(out *FederationDomainStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTLSSpec ¶
type FederationDomainTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
func (*FederationDomainTLSSpec) DeepCopy ¶
func (in *FederationDomainTLSSpec) DeepCopy() *FederationDomainTLSSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTLSSpec.
func (*FederationDomainTLSSpec) DeepCopyInto ¶
func (in *FederationDomainTLSSpec) DeepCopyInto(out *FederationDomainTLSSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransforms ¶ added in v0.26.0
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
func (*FederationDomainTransforms) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainTransforms) DeepCopy() *FederationDomainTransforms
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransforms.
func (*FederationDomainTransforms) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainTransforms) DeepCopyInto(out *FederationDomainTransforms)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsConstant ¶ added in v0.26.0
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to the transform expressions. This is a union type, and Type is the discriminator field.
func (*FederationDomainTransformsConstant) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainTransformsConstant) DeepCopy() *FederationDomainTransformsConstant
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsConstant.
func (*FederationDomainTransformsConstant) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainTransformsConstant) DeepCopyInto(out *FederationDomainTransformsConstant)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExample ¶ added in v0.26.0
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
FederationDomainTransformsExample defines a transform example.
func (*FederationDomainTransformsExample) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainTransformsExample) DeepCopy() *FederationDomainTransformsExample
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExample.
func (*FederationDomainTransformsExample) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainTransformsExample) DeepCopyInto(out *FederationDomainTransformsExample)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExampleExpects ¶ added in v0.26.0
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
func (*FederationDomainTransformsExampleExpects) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainTransformsExampleExpects) DeepCopy() *FederationDomainTransformsExampleExpects
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExampleExpects.
func (*FederationDomainTransformsExampleExpects) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainTransformsExampleExpects) DeepCopyInto(out *FederationDomainTransformsExampleExpects)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FederationDomainTransformsExpression ¶ added in v0.26.0
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
FederationDomainTransformsExpression defines a transform expression.
func (*FederationDomainTransformsExpression) DeepCopy ¶ added in v0.26.0
func (in *FederationDomainTransformsExpression) DeepCopy() *FederationDomainTransformsExpression
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FederationDomainTransformsExpression.
func (*FederationDomainTransformsExpression) DeepCopyInto ¶ added in v0.26.0
func (in *FederationDomainTransformsExpression) DeepCopyInto(out *FederationDomainTransformsExpression)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GrantType ¶ added in v0.20.0
type GrantType string
+kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange"
type OIDCClient ¶ added in v0.20.0
type OIDCClient struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec of the OIDC client.
Spec OIDCClientSpec `json:"spec"`
// Status of the OIDC client.
Status OIDCClientStatus `json:"status,omitempty"`
}
OIDCClient describes the configuration of an OIDC client. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]` +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*OIDCClient) DeepCopy ¶ added in v0.20.0
func (in *OIDCClient) DeepCopy() *OIDCClient
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
func (*OIDCClient) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClient) DeepCopyInto(out *OIDCClient)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClient) DeepCopyObject ¶ added in v0.20.0
func (in *OIDCClient) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientList ¶ added in v0.20.0
type OIDCClientList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []OIDCClient `json:"items"`
}
List of OIDCClient objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*OIDCClientList) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopy() *OIDCClientList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientList.
func (*OIDCClientList) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopyInto(out *OIDCClientList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCClientList) DeepCopyObject ¶ added in v0.20.0
func (in *OIDCClientList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCClientPhase ¶ added in v0.20.0
type OIDCClientPhase string
const ( // OIDCClientPhasePending is the default phase for newly-created OIDCClient resources. OIDCClientPhasePending OIDCClientPhase = "Pending" // OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state. OIDCClientPhaseReady OIDCClientPhase = "Ready" // OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state. OIDCClientPhaseError OIDCClientPhase = "Error" )
type OIDCClientSpec ¶ added in v0.20.0
type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected.
// Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
// Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"`
// allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
// client.
//
// Must only contain the following values:
// - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
// authenticate users. This grant must always be listed.
// - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
// This grant must be listed if allowedScopes lists offline_access.
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedGrantTypes []GrantType `json:"allowedGrantTypes"`
// allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
//
// Must only contain the following values:
// - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
// This scope must always be listed.
// - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
// This scope must be listed if allowedGrantTypes lists refresh_token.
// - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// openid, username and groups scopes must be listed when this scope is present.
// This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
// - username: The client is allowed to request that ID tokens contain the user's username.
// Without the username scope being requested and allowed, the ID token will not contain the user's username.
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedScopes []Scope `json:"allowedScopes"`
// tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient.
// +optional
TokenLifetimes OIDCClientTokenLifetimes `json:"tokenLifetimes,omitempty"`
}
OIDCClientSpec is a struct that describes an OIDCClient.
func (*OIDCClientSpec) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientSpec) DeepCopy() *OIDCClientSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientSpec.
func (*OIDCClientSpec) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientSpec) DeepCopyInto(out *OIDCClientSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientStatus ¶ added in v0.20.0
type OIDCClientStatus struct {
// phase summarizes the overall status of the OIDCClient.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase OIDCClientPhase `json:"phase,omitempty"`
// conditions represent the observations of an OIDCClient's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.
// +optional
TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0
}
OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
func (*OIDCClientStatus) DeepCopy ¶ added in v0.20.0
func (in *OIDCClientStatus) DeepCopy() *OIDCClientStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientStatus.
func (*OIDCClientStatus) DeepCopyInto ¶ added in v0.20.0
func (in *OIDCClientStatus) DeepCopyInto(out *OIDCClientStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientTokenLifetimes ¶ added in v0.30.0
type OIDCClientTokenLifetimes struct {
// idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of
// ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID
// tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used.
// This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens
// short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the
// external identity provider to decide if it is acceptable for the end user to continue their session, and will
// update the end user's group memberships from the external identity provider. Giving these tokens a long life is
// will allow the end user to continue to use a token while avoiding these updates from the external identity
// provider. However, some web applications may have reasons specific to the design of that application to prefer
// longer lifetimes.
// +kubebuilder:validation:Minimum=120
// +kubebuilder:validation:Maximum=1800
// +optional
IDTokenSeconds *int32 `json:"idTokenSeconds,omitempty"`
}
OIDCClientTokenLifetimes describes the optional overrides of token lifetimes for an OIDCClient.
func (*OIDCClientTokenLifetimes) DeepCopy ¶ added in v0.30.0
func (in *OIDCClientTokenLifetimes) DeepCopy() *OIDCClientTokenLifetimes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientTokenLifetimes.
func (*OIDCClientTokenLifetimes) DeepCopyInto ¶ added in v0.30.0
func (in *OIDCClientTokenLifetimes) DeepCopyInto(out *OIDCClientTokenLifetimes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RedirectURI ¶ added in v0.20.0
type RedirectURI string
+kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
Source Files