diff --git a/00-defs/01-crd.yaml b/00-defs/01-crd.yaml new file mode 100644 --- /dev/null +++ b/00-defs/01-crd.yaml @@ -0,0 +1,353 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: pomerium + name: pomerium.ingress.pomerium.io +spec: + group: ingress.pomerium.io + names: + kind: Pomerium + listKind: PomeriumList + plural: pomerium + singular: pomerium + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Pomerium define runtime-configurable Pomerium settings that do + not fall into the category of deployment parameters + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PomeriumSpec defines Pomerium-specific configuration parameters. + properties: + authenticate: + description: Authenticate sets authenticate service parameters + properties: + callbackPath: + description: "CallbackPath sets the path at which the authenticate + service receives callback responses from your identity provider. + The value must exactly match one of the authorized redirect + URIs for the OAuth 2.0 client. \n
This value is referred + to as the redirect_url in the OpenIDConnect and OAuth2 specs.
+Defaults to /oauth2/callback
Ingress
for this virtual
+ route, as it is handled by Pomerium internally. certificates
.
+ If you use cert-manager
with HTTP01
+ challenge, you may use pomerium
ingressClass
+ to solve it.See Session + Management (Enterprise) for a more fine-grained session + controls.
Defaults to 14 hours.
+ format: duration + type: string + httpOnly: + description: HTTPOnly if set tofalse
, the cookie
+ would be accessible from within the JavaScript. Defaults to
+ true
.
+ type: boolean
+ name:
+ description: Name sets the Pomerium session cookie name. Defaults
+ to _pomerium
+ type: string
+ secure:
+ description: Secure if set to false, would make a cookie accessible
+ over insecure protocols (HTTP). Defaults to true
.
+ type: boolean
+ type: object
+ identityProvider:
+ description: IdentityProvider configure single-sign-on authentication
+ and user identity details by integrating with your Identity
+ Provider
+ properties:
+ provider:
+ description: Provider is the short-hand name of a built-in OpenID
+ Connect (oidc) identity provider to be used for authentication.
+ To use a generic provider, set to oidc
.
+ enum:
+ - auth0
+ - azure
+ - google
+ - okta
+ - onelogin
+ - oidc
+ - ping
+ - github
+ type: string
+ refreshDirectory:
+ description: RefreshDirectory is no longer supported, please see
+ Upgrade
+ Guide.
+ properties:
+ interval:
+ description: interval is the time that pomerium will sync
+ your IDP directory.
+ format: duration
+ type: string
+ timeout:
+ description: timeout is the maximum time allowed each run.
+ format: duration
+ type: string
+ required:
+ - interval
+ - timeout
+ type: object
+ requestParams:
+ additionalProperties:
+ type: string
+ description: RequestParams to be added as part of a signin request
+ using OAuth2 code flow.
+ format: namespace/name
+ type: object
+ requestParamsSecret:
+ description: RequestParamsSecret is a reference to a secret for
+ additional parameters you'd prefer not to provide in plaintext.
+ format: namespace/name
+ type: string
+ scopes:
+ description: Scopes Identity provider scopes correspond to access
+ privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.
+ items:
+ type: string
+ type: array
+ secret:
+ description: Secret containing IdP provider specific parameters.
+ and must contain at least client_id
and client_secret
+ values.
+ format: namespace/name
+ minLength: 1
+ type: string
+ serviceAccountFromSecret:
+ description: ServiceAccountFromSecret is no longer supported,
+ see Upgrade
+ Guide.
+ type: string
+ url:
+ description: URL is the base path to an identity provider's OpenID
+ connect discovery document. See Identity
+ Providers guides for details.
+ format: uri
+ pattern: ^https://
+ type: string
+ required:
+ - provider
+ - secret
+ type: object
+ jwtClaimHeaders:
+ additionalProperties:
+ type: string
+ description: JWTClaimHeaders convert claims from the assertion token
+ into HTTP headers and adds them into JWT assertion header. Please
+ make sure to read
+ Getting User Identity guide.
+ type: object
+ secrets:
+ description: "Secrets references a Secret with Pomerium bootstrap
+ parameters. \n
shared_secret
+ - secures inter-Pomerium service communications. cookie_secret
+ - encrypts Pomerium session browser cookie. See also other Cookie
+ parameters. signing_key
+ signs Pomerium JWT assertion header. See Getting
+ the user's identity guide. In a default
+ Pomerium installation manifest, they would be generated via a one-time
+ job and stored in a pomerium/bootstrap
Secret.
+ You may re-run the job to rotate the secrets, or update the Secret
+ values manually.
ca.crt
containing CA certificate that, if specified,
+ would be used to populate sslrootcert
parameter
+ of the connection string.
+ format: namespace/name
+ minLength: 1
+ type: string
+ secret:
+ description: Secret specifies a name of a Secret that must
+ contain connection
key. See DSN
+ Format and Parameters. Do not set sslrootcert
,
+ sslcert
and sslkey
via connection
+ string, use tlsCecret
and caSecret
+ CRD options instead.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSecret:
+ description: TLSSecret should refer to a k8s secret of type
+ kubernetes.io/tls
and allows to specify an
+ optional client certificate and key, by constructing sslcert
+ and sslkey
connection string
+ parameter values.
+ format: namespace/name
+ minLength: 1
+ type: string
+ required:
+ - secret
+ type: object
+ redis:
+ description: Redis defines REDIS connection parameters
+ properties:
+ caSecret:
+ description: CASecret should refer to a k8s secret with key
+ ca.crt
that must be a PEM-encoded certificate
+ authority to use when connecting to the databroker storage
+ engine.
+ format: namespace/name
+ type: string
+ secret:
+ description: Secret specifies a name of a Secret that must
+ contain connection
key.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSecret:
+ description: TLSSecret should refer to a k8s secret of type
+ kubernetes.io/tls
that would be used to perform
+ TLS connection to REDIS.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSkipVerify:
+ description: TLSSkipVerify disables TLS certificate chain
+ validation.
+ type: boolean
+ required:
+ - secret
+ type: object
+ type: object
+ required:
+ - authenticate
+ - identityProvider
+ - secrets
+ type: object
+ status:
+ description: PomeriumStatus represents configuration and Ingress status.
+ properties:
+ ingress:
+ additionalProperties:
+ description: ResourceStatus represents the outcome of the latest
+ attempt to reconcile relevant Kubernetes resource with Pomerium.
+ properties:
+ error:
+ description: Error that prevented latest observedGeneration
+ to be synchronized with Pomerium.
+ type: string
+ observedAt:
+ description: ObservedAt is when last reconciliation attempt
+ was made.
+ format: date-time
+ type: string
+ observedGeneration:
+ description: ObservedGeneration represents the .metadata.generation
+ that was last presented to Pomerium.
+ format: int64
+ type: integer
+ reconciled:
+ description: Reconciled is whether this object generation was
+ successfully synced with pomerium.
+ type: boolean
+ warnings:
+ description: Warnings while parsing the resource.
+ items:
+ type: string
+ type: array
+ required:
+ - reconciled
+ type: object
+ description: Routes provide per-Ingress status.
+ type: object
+ settingsStatus:
+ description: SettingsStatus represent most recent main configuration
+ reconciliation status.
+ properties:
+ error:
+ description: Error that prevented latest observedGeneration to
+ be synchronized with Pomerium.
+ type: string
+ observedAt:
+ description: ObservedAt is when last reconciliation attempt was
+ made.
+ format: date-time
+ type: string
+ observedGeneration:
+ description: ObservedGeneration represents the .metadata.generation
+ that was last presented to Pomerium.
+ format: int64
+ type: integer
+ reconciled:
+ description: Reconciled is whether this object generation was
+ successfully synced with pomerium.
+ type: boolean
+ warnings:
+ description: Warnings while parsing the resource.
+ items:
+ type: string
+ type: array
+ required:
+ - reconciled
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}