diff --git a/00-defs/01-crd.yaml b/00-defs/01-crd.yaml deleted file mode 100644 --- a/00-defs/01-crd.yaml +++ /dev/null @@ -1,353 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null - labels: - app.kubernetes.io/name: pomerium - name: pomerium.ingress.pomerium.io -spec: - group: ingress.pomerium.io - names: - kind: Pomerium - listKind: PomeriumList - plural: pomerium - singular: pomerium - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: Pomerium define runtime-configurable Pomerium settings that do - not fall into the category of deployment parameters - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PomeriumSpec defines Pomerium-specific configuration parameters. - properties: - authenticate: - description: Authenticate sets authenticate service parameters - properties: - callbackPath: - description: "CallbackPath sets the path at which the authenticate - service receives callback responses from your identity provider. - The value must exactly match one of the authorized redirect - URIs for the OAuth 2.0 client. \n

This value is referred - to as the redirect_url in the OpenIDConnect and OAuth2 specs.

-

Defaults to /oauth2/callback

" - type: string - url: - description: "AuthenticateURL is a dedicated domain URL the non-authenticated - persons would be referred to. \n

" - format: uri - pattern: ^https:// - type: string - required: - - url - type: object - certificates: - description: Certificates is a list of secrets of type TLS to use - format: namespace/name - items: - type: string - type: array - cookie: - description: Cookie defines Pomerium session cookie options. - properties: - domain: - description: Domain defaults to the same host that set the cookie. - If you specify the domain explicitly, then subdomains would - also be included. - type: string - expire: - description: Expire sets cookie and Pomerium session expiration - time. Once session expires, users would have to re-login. If - you change this parameter, existing sessions are not affected. -

See Session - Management (Enterprise) for a more fine-grained session - controls.

Defaults to 14 hours.

- format: duration - type: string - httpOnly: - description: HTTPOnly if set to false, the cookie - would be accessible from within the JavaScript. Defaults to - true. - type: boolean - name: - description: Name sets the Pomerium session cookie name. Defaults - to _pomerium - type: string - secure: - description: Secure if set to false, would make a cookie accessible - over insecure protocols (HTTP). Defaults to true. - type: boolean - type: object - identityProvider: - description: IdentityProvider configure single-sign-on authentication - and user identity details by integrating with your Identity - Provider - properties: - provider: - description: Provider is the short-hand name of a built-in OpenID - Connect (oidc) identity provider to be used for authentication. - To use a generic provider, set to oidc. - enum: - - auth0 - - azure - - google - - okta - - onelogin - - oidc - - ping - - github - type: string - refreshDirectory: - description: RefreshDirectory is no longer supported, please see - Upgrade - Guide. - properties: - interval: - description: interval is the time that pomerium will sync - your IDP directory. - format: duration - type: string - timeout: - description: timeout is the maximum time allowed each run. - format: duration - type: string - required: - - interval - - timeout - type: object - requestParams: - additionalProperties: - type: string - description: RequestParams to be added as part of a signin request - using OAuth2 code flow. - format: namespace/name - type: object - requestParamsSecret: - description: RequestParamsSecret is a reference to a secret for - additional parameters you'd prefer not to provide in plaintext. - format: namespace/name - type: string - scopes: - description: Scopes Identity provider scopes correspond to access - privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. - items: - type: string - type: array - secret: - description: Secret containing IdP provider specific parameters. - and must contain at least client_id and client_secret - values. - format: namespace/name - minLength: 1 - type: string - serviceAccountFromSecret: - description: ServiceAccountFromSecret is no longer supported, - see Upgrade - Guide. - type: string - url: - description: URL is the base path to an identity provider's OpenID - connect discovery document. See Identity - Providers guides for details. - format: uri - pattern: ^https:// - type: string - required: - - provider - - secret - type: object - jwtClaimHeaders: - additionalProperties: - type: string - description: JWTClaimHeaders convert claims from the assertion token - into HTTP headers and adds them into JWT assertion header. Please - make sure to read - Getting User Identity guide. - type: object - secrets: - description: "Secrets references a Secret with Pomerium bootstrap - parameters. \n

In a default - Pomerium installation manifest, they would be generated via a one-time - job and stored in a pomerium/bootstrap Secret. - You may re-run the job to rotate the secrets, or update the Secret - values manually.

" - format: namespace/name - minLength: 1 - type: string - storage: - description: Storage defines persistent storage for sessions and other - data. See Storage - for details. If no storage is specified, Pomerium would use a transient - in-memory storage (not recommended for production). - properties: - postgres: - description: Postgres specifies PostgreSQL database connection - parameters - properties: - caSecret: - description: CASecret should refer to a k8s secret with key - ca.crt containing CA certificate that, if specified, - would be used to populate sslrootcert parameter - of the connection string. - format: namespace/name - minLength: 1 - type: string - secret: - description: Secret specifies a name of a Secret that must - contain connection key. See DSN - Format and Parameters. Do not set sslrootcert, - sslcert and sslkey via connection - string, use tlsCecret and caSecret - CRD options instead. - format: namespace/name - minLength: 1 - type: string - tlsSecret: - description: TLSSecret should refer to a k8s secret of type - kubernetes.io/tls and allows to specify an - optional client certificate and key, by constructing sslcert - and sslkey connection string - parameter values. - format: namespace/name - minLength: 1 - type: string - required: - - secret - type: object - redis: - description: Redis defines REDIS connection parameters - properties: - caSecret: - description: CASecret should refer to a k8s secret with key - ca.crt that must be a PEM-encoded certificate - authority to use when connecting to the databroker storage - engine. - format: namespace/name - type: string - secret: - description: Secret specifies a name of a Secret that must - contain connection key. - format: namespace/name - minLength: 1 - type: string - tlsSecret: - description: TLSSecret should refer to a k8s secret of type - kubernetes.io/tls that would be used to perform - TLS connection to REDIS. - format: namespace/name - minLength: 1 - type: string - tlsSkipVerify: - description: TLSSkipVerify disables TLS certificate chain - validation. - type: boolean - required: - - secret - type: object - type: object - required: - - authenticate - - identityProvider - - secrets - type: object - status: - description: PomeriumStatus represents configuration and Ingress status. - properties: - ingress: - additionalProperties: - description: ResourceStatus represents the outcome of the latest - attempt to reconcile relevant Kubernetes resource with Pomerium. - properties: - error: - description: Error that prevented latest observedGeneration - to be synchronized with Pomerium. - type: string - observedAt: - description: ObservedAt is when last reconciliation attempt - was made. - format: date-time - type: string - observedGeneration: - description: ObservedGeneration represents the .metadata.generation - that was last presented to Pomerium. - format: int64 - type: integer - reconciled: - description: Reconciled is whether this object generation was - successfully synced with pomerium. - type: boolean - warnings: - description: Warnings while parsing the resource. - items: - type: string - type: array - required: - - reconciled - type: object - description: Routes provide per-Ingress status. - type: object - settingsStatus: - description: SettingsStatus represent most recent main configuration - reconciliation status. - properties: - error: - description: Error that prevented latest observedGeneration to - be synchronized with Pomerium. - type: string - observedAt: - description: ObservedAt is when last reconciliation attempt was - made. - format: date-time - type: string - observedGeneration: - description: ObservedGeneration represents the .metadata.generation - that was last presented to Pomerium. - format: int64 - type: integer - reconciled: - description: Reconciled is whether this object generation was - successfully synced with pomerium. - type: boolean - warnings: - description: Warnings while parsing the resource. - items: - type: string - type: array - required: - - reconciled - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {}