diff --git a/kube/01-crd.yaml b/kube/01-crd.yaml new file mode 100644 --- /dev/null +++ b/kube/01-crd.yaml @@ -0,0 +1,259 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: pomerium + name: pomerium.ingress.pomerium.io +spec: + group: ingress.pomerium.io + names: + kind: Pomerium + listKind: PomeriumList + plural: pomerium + singular: pomerium + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Pomerium define runtime-configurable Pomerium settings that do + not fall into the category of deployment parameters + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PomeriumSpec defines the desired state of Settings + properties: + authenticate: + description: Authenticate sets authenticate service parameters + properties: + callbackPath: + description: CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path + type: string + url: + description: AuthenticateURL should be publicly accessible URL + the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url + format: uri + pattern: ^https:// + type: string + required: + - url + type: object + certificates: + description: Certificates is a list of secrets of type TLS to use + items: + type: string + type: array + identityProvider: + description: IdentityProvider see https://www.pomerium.com/docs/identity-providers/ + properties: + provider: + description: Provider one of accepted providers - see https://www.pomerium.com/reference/#identity-provider-name. + enum: + - auth0 + - azure + - google + - okta + - onelogin + - oidc + - ping + - github + type: string + refreshDirectory: + description: RefreshDirectory defines IdP directory refresh options + properties: + interval: + description: interval is the time that pomerium will sync + your IDP directory. + format: duration + type: string + timeout: + description: timeout is the maximum time allowed each run. + format: duration + type: string + required: + - interval + - timeout + type: object + requestParams: + additionalProperties: + type: string + description: RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params + type: object + requestParamsSecret: + description: RequestParamsSecret is a reference to a secret for + additional parameters you'd prefer not to provide in plaintext. + type: string + scopes: + description: Scopes see https://www.pomerium.com/reference/#identity-provider-scopes. + items: + type: string + type: array + secret: + description: Secret containing IdP provider specific parameters + and must contain at least client_id and client_secret values, + an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account + minLength: 1 + type: string + serviceAccountFromSecret: + description: ServiceAccountFromSecret is a convenience way to + build a value for `idp_service_account` from secret map values, + see https://www.pomerium.com/docs/identity-providers/ + type: string + url: + description: URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url. + format: uri + pattern: ^https:// + type: string + required: + - provider + - secret + type: object + secrets: + description: Secrets references a Secret that must have the following + keys - shared_secret - cookie_secret - signing_key + minLength: 1 + type: string + storage: + description: Storage defines persistent storage for sessions and other + data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage + properties: + postgres: + description: Postgres specifies PostgreSQL database connection + parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + `ca.crt` containing CA certificate that, if specified, would + be used to populate `sslrootcert` parameter of the connection + string + minLength: 1 + type: string + secret: + description: Secret specifies a name of a Secret that must + contain `connection` key for the connection DSN format and + parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING + the following keywords are not allowed to be part of the + parameters, as they must be populated via `tlsCecret` and + `caSecret` fields + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + `kubernetes.io/tls` and allows to specify an optional client + certificate and key, by constructing `sslcert` and `sslkey` + connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS + minLength: 1 + type: string + required: + - secret + type: object + redis: + description: Redis defines REDIS connection parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + `ca.crt` that must be a PEM-encoded certificate authority + to use when connecting to the databroker storage engine + see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority + type: string + secret: + description: Secret specifies a name of a Secret that must + contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + `kubernetes.io/tls` and allows to specify an optional databroker + storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file + - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file + minLength: 1 + type: string + tlsSkipVerify: + description: TLSSkipVerify disables TLS certificate chain + validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify + type: boolean + required: + - secret + type: object + type: object + required: + - authenticate + - identityProvider + - secrets + type: object + status: + description: PomeriumStatus defines the observed state of Settings + properties: + ingress: + additionalProperties: + description: ResourceStatus represents the outcome of the latest + attempt to reconcile it with Pomerium. + properties: + error: + description: Error that prevented latest observedGeneration + to be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt + was made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + required: + - reconciled + type: object + description: Routes provide per-Ingress status. + type: object + settingsStatus: + description: settingsStatus represent most recent main configuration + reconciliation status. + properties: + error: + description: Error that prevented latest observedGeneration to + be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt was + made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + required: + - reconciled + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file