Files
@ 76e097b3e248
Branch filter:
Location: pomerium/old/01-crd.yaml
76e097b3e248
12.2 KiB
text/x-yaml
reformat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 | apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.0
creationTimestamp: null
labels:
app.kubernetes.io/name: pomerium
name: pomerium.ingress.pomerium.io
spec:
group: ingress.pomerium.io
names:
kind: Pomerium
listKind: PomeriumList
plural: pomerium
singular: pomerium
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: Pomerium define runtime-configurable Pomerium settings that do
not fall into the category of deployment parameters
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PomeriumSpec defines the desired state of Settings
properties:
authenticate:
description: Authenticate sets authenticate service parameters
properties:
callbackPath:
description: CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path
type: string
url:
description: AuthenticateURL should be publicly accessible URL
the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url
format: uri
pattern: ^https://
type: string
required:
- url
type: object
certificates:
description: Certificates is a list of secrets of type TLS to use
items:
type: string
type: array
identityProvider:
description: IdentityProvider see https://www.pomerium.com/docs/identity-providers/
properties:
provider:
description: Provider one of accepted providers - see https://www.pomerium.com/reference/#identity-provider-name.
enum:
- auth0
- azure
- google
- okta
- onelogin
- oidc
- ping
- github
type: string
refreshDirectory:
description: RefreshDirectory defines IdP directory refresh options
properties:
interval:
description: interval is the time that pomerium will sync
your IDP directory.
format: duration
type: string
timeout:
description: timeout is the maximum time allowed each run.
format: duration
type: string
required:
- interval
- timeout
type: object
requestParams:
additionalProperties:
type: string
description: RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params
type: object
requestParamsSecret:
description: RequestParamsSecret is a reference to a secret for
additional parameters you'd prefer not to provide in plaintext.
type: string
scopes:
description: Scopes see https://www.pomerium.com/reference/#identity-provider-scopes.
items:
type: string
type: array
secret:
description: Secret containing IdP provider specific parameters
and must contain at least client_id and client_secret values,
an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account
minLength: 1
type: string
serviceAccountFromSecret:
description: ServiceAccountFromSecret is a convenience way to
build a value for `idp_service_account` from secret map values,
see https://www.pomerium.com/docs/identity-providers/
type: string
url:
description: URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url.
format: uri
pattern: ^https://
type: string
required:
- provider
- secret
type: object
secrets:
description: Secrets references a Secret that must have the following
keys - shared_secret - cookie_secret - signing_key
minLength: 1
type: string
storage:
description: Storage defines persistent storage for sessions and other
data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage
properties:
postgres:
description: Postgres specifies PostgreSQL database connection
parameters
properties:
caSecret:
description: CASecret should refer to a k8s secret with key
`ca.crt` containing CA certificate that, if specified, would
be used to populate `sslrootcert` parameter of the connection
string
minLength: 1
type: string
secret:
description: Secret specifies a name of a Secret that must
contain `connection` key for the connection DSN format and
parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
the following keywords are not allowed to be part of the
parameters, as they must be populated via `tlsCecret` and
`caSecret` fields
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
`kubernetes.io/tls` and allows to specify an optional client
certificate and key, by constructing `sslcert` and `sslkey`
connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
minLength: 1
type: string
required:
- secret
type: object
redis:
description: Redis defines REDIS connection parameters
properties:
caSecret:
description: CASecret should refer to a k8s secret with key
`ca.crt` that must be a PEM-encoded certificate authority
to use when connecting to the databroker storage engine
see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority
type: string
secret:
description: Secret specifies a name of a Secret that must
contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
`kubernetes.io/tls` and allows to specify an optional databroker
storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file
- https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file
minLength: 1
type: string
tlsSkipVerify:
description: TLSSkipVerify disables TLS certificate chain
validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify
type: boolean
required:
- secret
type: object
type: object
required:
- authenticate
- identityProvider
- secrets
type: object
status:
description: PomeriumStatus defines the observed state of Settings
properties:
ingress:
additionalProperties:
description: ResourceStatus represents the outcome of the latest
attempt to reconcile it with Pomerium.
properties:
error:
description: Error that prevented latest observedGeneration
to be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt
was made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
required:
- reconciled
type: object
description: Routes provide per-Ingress status.
type: object
settingsStatus:
description: settingsStatus represent most recent main configuration
reconciliation status.
properties:
error:
description: Error that prevented latest observedGeneration to
be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt was
made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
required:
- reconciled
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
|