diff --git a/00-defs/01-crd.yaml b/00-defs/01-crd.yaml new file mode 100644 --- /dev/null +++ b/00-defs/01-crd.yaml @@ -0,0 +1,353 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: pomerium + name: pomerium.ingress.pomerium.io +spec: + group: ingress.pomerium.io + names: + kind: Pomerium + listKind: PomeriumList + plural: pomerium + singular: pomerium + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Pomerium define runtime-configurable Pomerium settings that do + not fall into the category of deployment parameters + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PomeriumSpec defines Pomerium-specific configuration parameters. + properties: + authenticate: + description: Authenticate sets authenticate service parameters + properties: + callbackPath: + description: "CallbackPath sets the path at which the authenticate + service receives callback responses from your identity provider. + The value must exactly match one of the authorized redirect + URIs for the OAuth 2.0 client. \n

This value is referred + to as the redirect_url in the OpenIDConnect and OAuth2 specs.

+

Defaults to /oauth2/callback

" + type: string + url: + description: "AuthenticateURL is a dedicated domain URL the non-authenticated + persons would be referred to. \n

" + format: uri + pattern: ^https:// + type: string + required: + - url + type: object + certificates: + description: Certificates is a list of secrets of type TLS to use + format: namespace/name + items: + type: string + type: array + cookie: + description: Cookie defines Pomerium session cookie options. + properties: + domain: + description: Domain defaults to the same host that set the cookie. + If you specify the domain explicitly, then subdomains would + also be included. + type: string + expire: + description: Expire sets cookie and Pomerium session expiration + time. Once session expires, users would have to re-login. If + you change this parameter, existing sessions are not affected. +

See Session + Management (Enterprise) for a more fine-grained session + controls.

Defaults to 14 hours.

+ format: duration + type: string + httpOnly: + description: HTTPOnly if set to false, the cookie + would be accessible from within the JavaScript. Defaults to + true. + type: boolean + name: + description: Name sets the Pomerium session cookie name. Defaults + to _pomerium + type: string + secure: + description: Secure if set to false, would make a cookie accessible + over insecure protocols (HTTP). Defaults to true. + type: boolean + type: object + identityProvider: + description: IdentityProvider configure single-sign-on authentication + and user identity details by integrating with your Identity + Provider + properties: + provider: + description: Provider is the short-hand name of a built-in OpenID + Connect (oidc) identity provider to be used for authentication. + To use a generic provider, set to oidc. + enum: + - auth0 + - azure + - google + - okta + - onelogin + - oidc + - ping + - github + type: string + refreshDirectory: + description: RefreshDirectory is no longer supported, please see + Upgrade + Guide. + properties: + interval: + description: interval is the time that pomerium will sync + your IDP directory. + format: duration + type: string + timeout: + description: timeout is the maximum time allowed each run. + format: duration + type: string + required: + - interval + - timeout + type: object + requestParams: + additionalProperties: + type: string + description: RequestParams to be added as part of a signin request + using OAuth2 code flow. + format: namespace/name + type: object + requestParamsSecret: + description: RequestParamsSecret is a reference to a secret for + additional parameters you'd prefer not to provide in plaintext. + format: namespace/name + type: string + scopes: + description: Scopes Identity provider scopes correspond to access + privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. + items: + type: string + type: array + secret: + description: Secret containing IdP provider specific parameters. + and must contain at least client_id and client_secret + values. + format: namespace/name + minLength: 1 + type: string + serviceAccountFromSecret: + description: ServiceAccountFromSecret is no longer supported, + see Upgrade + Guide. + type: string + url: + description: URL is the base path to an identity provider's OpenID + connect discovery document. See Identity + Providers guides for details. + format: uri + pattern: ^https:// + type: string + required: + - provider + - secret + type: object + jwtClaimHeaders: + additionalProperties: + type: string + description: JWTClaimHeaders convert claims from the assertion token + into HTTP headers and adds them into JWT assertion header. Please + make sure to read + Getting User Identity guide. + type: object + secrets: + description: "Secrets references a Secret with Pomerium bootstrap + parameters. \n

In a default + Pomerium installation manifest, they would be generated via a one-time + job and stored in a pomerium/bootstrap Secret. + You may re-run the job to rotate the secrets, or update the Secret + values manually.

" + format: namespace/name + minLength: 1 + type: string + storage: + description: Storage defines persistent storage for sessions and other + data. See Storage + for details. If no storage is specified, Pomerium would use a transient + in-memory storage (not recommended for production). + properties: + postgres: + description: Postgres specifies PostgreSQL database connection + parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + ca.crt containing CA certificate that, if specified, + would be used to populate sslrootcert parameter + of the connection string. + format: namespace/name + minLength: 1 + type: string + secret: + description: Secret specifies a name of a Secret that must + contain connection key. See DSN + Format and Parameters. Do not set sslrootcert, + sslcert and sslkey via connection + string, use tlsCecret and caSecret + CRD options instead. + format: namespace/name + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + kubernetes.io/tls and allows to specify an + optional client certificate and key, by constructing sslcert + and sslkey connection string + parameter values. + format: namespace/name + minLength: 1 + type: string + required: + - secret + type: object + redis: + description: Redis defines REDIS connection parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + ca.crt that must be a PEM-encoded certificate + authority to use when connecting to the databroker storage + engine. + format: namespace/name + type: string + secret: + description: Secret specifies a name of a Secret that must + contain connection key. + format: namespace/name + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + kubernetes.io/tls that would be used to perform + TLS connection to REDIS. + format: namespace/name + minLength: 1 + type: string + tlsSkipVerify: + description: TLSSkipVerify disables TLS certificate chain + validation. + type: boolean + required: + - secret + type: object + type: object + required: + - authenticate + - identityProvider + - secrets + type: object + status: + description: PomeriumStatus represents configuration and Ingress status. + properties: + ingress: + additionalProperties: + description: ResourceStatus represents the outcome of the latest + attempt to reconcile relevant Kubernetes resource with Pomerium. + properties: + error: + description: Error that prevented latest observedGeneration + to be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt + was made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + warnings: + description: Warnings while parsing the resource. + items: + type: string + type: array + required: + - reconciled + type: object + description: Routes provide per-Ingress status. + type: object + settingsStatus: + description: SettingsStatus represent most recent main configuration + reconciliation status. + properties: + error: + description: Error that prevented latest observedGeneration to + be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt was + made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + warnings: + description: Warnings while parsing the resource. + items: + type: string + type: array + required: + - reconciled + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {}