Files
@ 54b0edb7cca8
Branch filter:
Location: pomerium/00-defs/01-crd.yaml
54b0edb7cca8
17.7 KiB
text/x-yaml
debug notes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 | apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.0
creationTimestamp: null
labels:
app.kubernetes.io/name: pomerium
name: pomerium.ingress.pomerium.io
spec:
group: ingress.pomerium.io
names:
kind: Pomerium
listKind: PomeriumList
plural: pomerium
singular: pomerium
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: Pomerium define runtime-configurable Pomerium settings that do
not fall into the category of deployment parameters
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PomeriumSpec defines Pomerium-specific configuration parameters.
properties:
authenticate:
description: Authenticate sets authenticate service parameters
properties:
callbackPath:
description: "CallbackPath sets the path at which the authenticate
service receives callback responses from your identity provider.
The value must exactly match one of the authorized redirect
URIs for the OAuth 2.0 client. \n <p>This value is referred
to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p>
<p>Defaults to <code>/oauth2/callback</code></p>"
type: string
url:
description: "AuthenticateURL is a dedicated domain URL the non-authenticated
persons would be referred to. \n <p><ul> <li>You do not need
to create a dedicated <code>Ingress</code> for this virtual
route, as it is handled by Pomerium internally. </li> <li>You
do need create a secret with corresponding TLS certificate for
this route and reference it via <a href=\"#prop-certificates\"><code>certificates</code></a>.
If you use <code>cert-manager</code> with <code>HTTP01</code>
challenge, you may use <code>pomerium</code> <code>ingressClass</code>
to solve it.</li> </ul></p>"
format: uri
pattern: ^https://
type: string
required:
- url
type: object
certificates:
description: Certificates is a list of secrets of type TLS to use
format: namespace/name
items:
type: string
type: array
cookie:
description: Cookie defines Pomerium session cookie options.
properties:
domain:
description: Domain defaults to the same host that set the cookie.
If you specify the domain explicitly, then subdomains would
also be included.
type: string
expire:
description: Expire sets cookie and Pomerium session expiration
time. Once session expires, users would have to re-login. If
you change this parameter, existing sessions are not affected.
<p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session
Management</a> (Enterprise) for a more fine-grained session
controls.</p> <p>Defaults to 14 hours.</p>
format: duration
type: string
httpOnly:
description: HTTPOnly if set to <code>false</code>, the cookie
would be accessible from within the JavaScript. Defaults to
<code>true</code>.
type: boolean
name:
description: Name sets the Pomerium session cookie name. Defaults
to <code>_pomerium</code>
type: string
secure:
description: Secure if set to false, would make a cookie accessible
over insecure protocols (HTTP). Defaults to <code>true</code>.
type: boolean
type: object
identityProvider:
description: IdentityProvider configure single-sign-on authentication
and user identity details by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity
Provider</a>
properties:
provider:
description: Provider is the short-hand name of a built-in OpenID
Connect (oidc) identity provider to be used for authentication.
To use a generic provider, set to <code>oidc</code>.
enum:
- auth0
- azure
- google
- okta
- onelogin
- oidc
- ping
- github
type: string
refreshDirectory:
description: RefreshDirectory is no longer supported, please see
<a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade
Guide</a>.
properties:
interval:
description: interval is the time that pomerium will sync
your IDP directory.
format: duration
type: string
timeout:
description: timeout is the maximum time allowed each run.
format: duration
type: string
required:
- interval
- timeout
type: object
requestParams:
additionalProperties:
type: string
description: RequestParams to be added as part of a signin request
using OAuth2 code flow.
format: namespace/name
type: object
requestParamsSecret:
description: RequestParamsSecret is a reference to a secret for
additional parameters you'd prefer not to provide in plaintext.
format: namespace/name
type: string
scopes:
description: Scopes Identity provider scopes correspond to access
privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.
items:
type: string
type: array
secret:
description: Secret containing IdP provider specific parameters.
and must contain at least <code>client_id</code> and <code>client_secret</code>
values.
format: namespace/name
minLength: 1
type: string
serviceAccountFromSecret:
description: ServiceAccountFromSecret is no longer supported,
see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade
Guide</a>.
type: string
url:
description: URL is the base path to an identity provider's OpenID
connect discovery document. See <a href="https://pomerium.com/docs/identity-providers">Identity
Providers</a> guides for details.
format: uri
pattern: ^https://
type: string
required:
- provider
- secret
type: object
jwtClaimHeaders:
additionalProperties:
type: string
description: JWTClaimHeaders convert claims from the assertion token
into HTTP headers and adds them into JWT assertion header. Please
make sure to read <a href="https://www.pomerium.com/docs/topics/getting-users-identity">
Getting User Identity</a> guide.
type: object
secrets:
description: "Secrets references a Secret with Pomerium bootstrap
parameters. \n <p> <ul> <li><a href=\"https://pomerium.com/docs/reference/shared-secret\"><code>shared_secret</code></a>
- secures inter-Pomerium service communications. </li> <li><a href=\"https://pomerium.com/docs/reference/cookie-secret\"><code>cookie_secret</code></a>
- encrypts Pomerium session browser cookie. See also other <a href=\"#cookie\">Cookie</a>
parameters. </li> <li><a href=\"https://pomerium.com/docs/reference/signing-key\"><code>signing_key</code></a>
signs Pomerium JWT assertion header. See <a href=\"https://www.pomerium.com/docs/topics/getting-users-identity\">Getting
the user's identity</a> guide. </li> </ul> </p> <p> In a default
Pomerium installation manifest, they would be generated via a <a
href=\"https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml\">one-time
job</a> and stored in a <code>pomerium/bootstrap</code> Secret.
You may re-run the job to rotate the secrets, or update the Secret
values manually. </p>"
format: namespace/name
minLength: 1
type: string
storage:
description: Storage defines persistent storage for sessions and other
data. See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a>
for details. If no storage is specified, Pomerium would use a transient
in-memory storage (not recommended for production).
properties:
postgres:
description: Postgres specifies PostgreSQL database connection
parameters
properties:
caSecret:
description: CASecret should refer to a k8s secret with key
<code>ca.crt</code> containing CA certificate that, if specified,
would be used to populate <code>sslrootcert</code> parameter
of the connection string.
format: namespace/name
minLength: 1
type: string
secret:
description: Secret specifies a name of a Secret that must
contain <code>connection</code> key. See <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN
Format and Parameters</a>. Do not set <code>sslrootcert</code>,
<code>sslcert</code> and <code>sslkey</code> via connection
string, use <code>tlsCecret</code> and <code>caSecret</code>
CRD options instead.
format: namespace/name
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
<code>kubernetes.io/tls</code> and allows to specify an
optional client certificate and key, by constructing <code>sslcert</code>
and <code>sslkey</code> connection string <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS">
parameter values</a>.
format: namespace/name
minLength: 1
type: string
required:
- secret
type: object
redis:
description: Redis defines REDIS connection parameters
properties:
caSecret:
description: CASecret should refer to a k8s secret with key
<code>ca.crt</code> that must be a PEM-encoded certificate
authority to use when connecting to the databroker storage
engine.
format: namespace/name
type: string
secret:
description: Secret specifies a name of a Secret that must
contain <code>connection</code> key.
format: namespace/name
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
<code>kubernetes.io/tls</code> that would be used to perform
TLS connection to REDIS.
format: namespace/name
minLength: 1
type: string
tlsSkipVerify:
description: TLSSkipVerify disables TLS certificate chain
validation.
type: boolean
required:
- secret
type: object
type: object
required:
- authenticate
- identityProvider
- secrets
type: object
status:
description: PomeriumStatus represents configuration and Ingress status.
properties:
ingress:
additionalProperties:
description: ResourceStatus represents the outcome of the latest
attempt to reconcile relevant Kubernetes resource with Pomerium.
properties:
error:
description: Error that prevented latest observedGeneration
to be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt
was made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the <code>.metadata.generation</code>
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
description: Routes provide per-Ingress status.
type: object
settingsStatus:
description: SettingsStatus represent most recent main configuration
reconciliation status.
properties:
error:
description: Error that prevented latest observedGeneration to
be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt was
made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the <code>.metadata.generation</code>
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
|