apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 creationTimestamp: null labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PomeriumSpec defines the desired state of Settings properties: authenticate: description: Authenticate sets authenticate service parameters properties: callbackPath: description: CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path type: string url: description: AuthenticateURL should be publicly accessible URL the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url format: uri pattern: ^https:// type: string required: - url type: object certificates: description: Certificates is a list of secrets of type TLS to use items: type: string type: array identityProvider: description: IdentityProvider see https://www.pomerium.com/docs/identity-providers/ properties: provider: description: Provider one of accepted providers - see https://www.pomerium.com/reference/#identity-provider-name. enum: - auth0 - azure - google - okta - onelogin - oidc - ping - github type: string refreshDirectory: description: RefreshDirectory defines IdP directory refresh options properties: interval: description: interval is the time that pomerium will sync your IDP directory. format: duration type: string timeout: description: timeout is the maximum time allowed each run. format: duration type: string required: - interval - timeout type: object requestParams: additionalProperties: type: string description: RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params type: object requestParamsSecret: description: RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. type: string scopes: description: Scopes see https://www.pomerium.com/reference/#identity-provider-scopes. items: type: string type: array secret: description: Secret containing IdP provider specific parameters and must contain at least client_id and client_secret values, an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account minLength: 1 type: string serviceAccountFromSecret: description: ServiceAccountFromSecret is a convenience way to build a value for `idp_service_account` from secret map values, see https://www.pomerium.com/docs/identity-providers/ type: string url: description: URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url. format: uri pattern: ^https:// type: string required: - provider - secret type: object secrets: description: Secrets references a Secret that must have the following keys - shared_secret - cookie_secret - signing_key minLength: 1 type: string storage: description: Storage defines persistent storage for sessions and other data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage properties: postgres: description: Postgres specifies PostgreSQL database connection parameters properties: caSecret: description: CASecret should refer to a k8s secret with key `ca.crt` containing CA certificate that, if specified, would be used to populate `sslrootcert` parameter of the connection string minLength: 1 type: string secret: description: Secret specifies a name of a Secret that must contain `connection` key for the connection DSN format and parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING the following keywords are not allowed to be part of the parameters, as they must be populated via `tlsCecret` and `caSecret` fields minLength: 1 type: string tlsSecret: description: TLSSecret should refer to a k8s secret of type `kubernetes.io/tls` and allows to specify an optional client certificate and key, by constructing `sslcert` and `sslkey` connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS minLength: 1 type: string required: - secret type: object redis: description: Redis defines REDIS connection parameters properties: caSecret: description: CASecret should refer to a k8s secret with key `ca.crt` that must be a PEM-encoded certificate authority to use when connecting to the databroker storage engine see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority type: string secret: description: Secret specifies a name of a Secret that must contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string minLength: 1 type: string tlsSecret: description: TLSSecret should refer to a k8s secret of type `kubernetes.io/tls` and allows to specify an optional databroker storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file minLength: 1 type: string tlsSkipVerify: description: TLSSkipVerify disables TLS certificate chain validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify type: boolean required: - secret type: object type: object required: - authenticate - identityProvider - secrets type: object status: description: PomeriumStatus defines the observed state of Settings properties: ingress: additionalProperties: description: ResourceStatus represents the outcome of the latest attempt to reconcile it with Pomerium. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean required: - reconciled type: object description: Routes provide per-Ingress status. type: object settingsStatus: description: settingsStatus represent most recent main configuration reconciliation status. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean required: - reconciled type: object type: object type: object served: true storage: true subresources: status: {}