|
0
|
1 apiVersion: apiextensions.k8s.io/v1
|
|
|
2 kind: CustomResourceDefinition
|
|
|
3 metadata:
|
|
|
4 annotations:
|
|
|
5 controller-gen.kubebuilder.io/version: v0.9.0
|
|
|
6 creationTimestamp: null
|
|
|
7 labels:
|
|
|
8 app.kubernetes.io/name: pomerium
|
|
|
9 name: pomerium.ingress.pomerium.io
|
|
|
10 spec:
|
|
|
11 group: ingress.pomerium.io
|
|
|
12 names:
|
|
|
13 kind: Pomerium
|
|
|
14 listKind: PomeriumList
|
|
|
15 plural: pomerium
|
|
|
16 singular: pomerium
|
|
|
17 scope: Cluster
|
|
|
18 versions:
|
|
|
19 - name: v1
|
|
|
20 schema:
|
|
|
21 openAPIV3Schema:
|
|
|
22 description: Pomerium define runtime-configurable Pomerium settings that do
|
|
|
23 not fall into the category of deployment parameters
|
|
|
24 properties:
|
|
|
25 apiVersion:
|
|
|
26 description: 'APIVersion defines the versioned schema of this representation
|
|
|
27 of an object. Servers should convert recognized schemas to the latest
|
|
|
28 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
29 type: string
|
|
|
30 kind:
|
|
|
31 description: 'Kind is a string value representing the REST resource this
|
|
|
32 object represents. Servers may infer this from the endpoint the client
|
|
|
33 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
34 type: string
|
|
|
35 metadata:
|
|
|
36 type: object
|
|
|
37 spec:
|
|
|
38 description: PomeriumSpec defines the desired state of Settings
|
|
|
39 properties:
|
|
|
40 authenticate:
|
|
|
41 description: Authenticate sets authenticate service parameters
|
|
|
42 properties:
|
|
|
43 callbackPath:
|
|
|
44 description: CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path
|
|
|
45 type: string
|
|
|
46 url:
|
|
|
47 description: AuthenticateURL should be publicly accessible URL
|
|
|
48 the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url
|
|
|
49 format: uri
|
|
|
50 pattern: ^https://
|
|
|
51 type: string
|
|
|
52 required:
|
|
|
53 - url
|
|
|
54 type: object
|
|
|
55 certificates:
|
|
|
56 description: Certificates is a list of secrets of type TLS to use
|
|
|
57 items:
|
|
|
58 type: string
|
|
|
59 type: array
|
|
|
60 identityProvider:
|
|
|
61 description: IdentityProvider see https://www.pomerium.com/docs/identity-providers/
|
|
|
62 properties:
|
|
|
63 provider:
|
|
|
64 description: Provider one of accepted providers - see https://www.pomerium.com/reference/#identity-provider-name.
|
|
|
65 enum:
|
|
|
66 - auth0
|
|
|
67 - azure
|
|
|
68 - google
|
|
|
69 - okta
|
|
|
70 - onelogin
|
|
|
71 - oidc
|
|
|
72 - ping
|
|
|
73 - github
|
|
|
74 type: string
|
|
|
75 refreshDirectory:
|
|
|
76 description: RefreshDirectory defines IdP directory refresh options
|
|
|
77 properties:
|
|
|
78 interval:
|
|
|
79 description: interval is the time that pomerium will sync
|
|
|
80 your IDP directory.
|
|
|
81 format: duration
|
|
|
82 type: string
|
|
|
83 timeout:
|
|
|
84 description: timeout is the maximum time allowed each run.
|
|
|
85 format: duration
|
|
|
86 type: string
|
|
|
87 required:
|
|
|
88 - interval
|
|
|
89 - timeout
|
|
|
90 type: object
|
|
|
91 requestParams:
|
|
|
92 additionalProperties:
|
|
|
93 type: string
|
|
|
94 description: RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params
|
|
|
95 type: object
|
|
|
96 requestParamsSecret:
|
|
|
97 description: RequestParamsSecret is a reference to a secret for
|
|
|
98 additional parameters you'd prefer not to provide in plaintext.
|
|
|
99 type: string
|
|
|
100 scopes:
|
|
|
101 description: Scopes see https://www.pomerium.com/reference/#identity-provider-scopes.
|
|
|
102 items:
|
|
|
103 type: string
|
|
|
104 type: array
|
|
|
105 secret:
|
|
|
106 description: Secret containing IdP provider specific parameters
|
|
|
107 and must contain at least client_id and client_secret values,
|
|
|
108 an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account
|
|
|
109 minLength: 1
|
|
|
110 type: string
|
|
|
111 serviceAccountFromSecret:
|
|
|
112 description: ServiceAccountFromSecret is a convenience way to
|
|
|
113 build a value for `idp_service_account` from secret map values,
|
|
|
114 see https://www.pomerium.com/docs/identity-providers/
|
|
|
115 type: string
|
|
|
116 url:
|
|
|
117 description: URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url.
|
|
|
118 format: uri
|
|
|
119 pattern: ^https://
|
|
|
120 type: string
|
|
|
121 required:
|
|
|
122 - provider
|
|
|
123 - secret
|
|
|
124 type: object
|
|
|
125 secrets:
|
|
|
126 description: Secrets references a Secret that must have the following
|
|
|
127 keys - shared_secret - cookie_secret - signing_key
|
|
|
128 minLength: 1
|
|
|
129 type: string
|
|
|
130 storage:
|
|
|
131 description: Storage defines persistent storage for sessions and other
|
|
|
132 data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage
|
|
|
133 properties:
|
|
|
134 postgres:
|
|
|
135 description: Postgres specifies PostgreSQL database connection
|
|
|
136 parameters
|
|
|
137 properties:
|
|
|
138 caSecret:
|
|
|
139 description: CASecret should refer to a k8s secret with key
|
|
|
140 `ca.crt` containing CA certificate that, if specified, would
|
|
|
141 be used to populate `sslrootcert` parameter of the connection
|
|
|
142 string
|
|
|
143 minLength: 1
|
|
|
144 type: string
|
|
|
145 secret:
|
|
|
146 description: Secret specifies a name of a Secret that must
|
|
|
147 contain `connection` key for the connection DSN format and
|
|
|
148 parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
|
|
|
149 the following keywords are not allowed to be part of the
|
|
|
150 parameters, as they must be populated via `tlsCecret` and
|
|
|
151 `caSecret` fields
|
|
|
152 minLength: 1
|
|
|
153 type: string
|
|
|
154 tlsSecret:
|
|
|
155 description: TLSSecret should refer to a k8s secret of type
|
|
|
156 `kubernetes.io/tls` and allows to specify an optional client
|
|
|
157 certificate and key, by constructing `sslcert` and `sslkey`
|
|
|
158 connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
|
|
|
159 minLength: 1
|
|
|
160 type: string
|
|
|
161 required:
|
|
|
162 - secret
|
|
|
163 type: object
|
|
|
164 redis:
|
|
|
165 description: Redis defines REDIS connection parameters
|
|
|
166 properties:
|
|
|
167 caSecret:
|
|
|
168 description: CASecret should refer to a k8s secret with key
|
|
|
169 `ca.crt` that must be a PEM-encoded certificate authority
|
|
|
170 to use when connecting to the databroker storage engine
|
|
|
171 see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority
|
|
|
172 type: string
|
|
|
173 secret:
|
|
|
174 description: Secret specifies a name of a Secret that must
|
|
|
175 contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string
|
|
|
176 minLength: 1
|
|
|
177 type: string
|
|
|
178 tlsSecret:
|
|
|
179 description: TLSSecret should refer to a k8s secret of type
|
|
|
180 `kubernetes.io/tls` and allows to specify an optional databroker
|
|
|
181 storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file
|
|
|
182 - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file
|
|
|
183 minLength: 1
|
|
|
184 type: string
|
|
|
185 tlsSkipVerify:
|
|
|
186 description: TLSSkipVerify disables TLS certificate chain
|
|
|
187 validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify
|
|
|
188 type: boolean
|
|
|
189 required:
|
|
|
190 - secret
|
|
|
191 type: object
|
|
|
192 type: object
|
|
|
193 required:
|
|
|
194 - authenticate
|
|
|
195 - identityProvider
|
|
|
196 - secrets
|
|
|
197 type: object
|
|
|
198 status:
|
|
|
199 description: PomeriumStatus defines the observed state of Settings
|
|
|
200 properties:
|
|
|
201 ingress:
|
|
|
202 additionalProperties:
|
|
|
203 description: ResourceStatus represents the outcome of the latest
|
|
|
204 attempt to reconcile it with Pomerium.
|
|
|
205 properties:
|
|
|
206 error:
|
|
|
207 description: Error that prevented latest observedGeneration
|
|
|
208 to be synchronized with Pomerium.
|
|
|
209 type: string
|
|
|
210 observedAt:
|
|
|
211 description: ObservedAt is when last reconciliation attempt
|
|
|
212 was made.
|
|
|
213 format: date-time
|
|
|
214 type: string
|
|
|
215 observedGeneration:
|
|
|
216 description: ObservedGeneration represents the .metadata.generation
|
|
|
217 that was last presented to Pomerium.
|
|
|
218 format: int64
|
|
|
219 type: integer
|
|
|
220 reconciled:
|
|
|
221 description: Reconciled is whether this object generation was
|
|
|
222 successfully synced with pomerium.
|
|
|
223 type: boolean
|
|
|
224 required:
|
|
|
225 - reconciled
|
|
|
226 type: object
|
|
|
227 description: Routes provide per-Ingress status.
|
|
|
228 type: object
|
|
|
229 settingsStatus:
|
|
|
230 description: settingsStatus represent most recent main configuration
|
|
|
231 reconciliation status.
|
|
|
232 properties:
|
|
|
233 error:
|
|
|
234 description: Error that prevented latest observedGeneration to
|
|
|
235 be synchronized with Pomerium.
|
|
|
236 type: string
|
|
|
237 observedAt:
|
|
|
238 description: ObservedAt is when last reconciliation attempt was
|
|
|
239 made.
|
|
|
240 format: date-time
|
|
|
241 type: string
|
|
|
242 observedGeneration:
|
|
|
243 description: ObservedGeneration represents the .metadata.generation
|
|
|
244 that was last presented to Pomerium.
|
|
|
245 format: int64
|
|
|
246 type: integer
|
|
|
247 reconciled:
|
|
|
248 description: Reconciled is whether this object generation was
|
|
|
249 successfully synced with pomerium.
|
|
|
250 type: boolean
|
|
|
251 required:
|
|
|
252 - reconciled
|
|
|
253 type: object
|
|
|
254 type: object
|
|
|
255 type: object
|
|
|
256 served: true
|
|
|
257 storage: true
|
|
|
258 subresources:
|
|
|
259 status: {} |
