mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2025-12-23 06:15:47 +00:00
244 lines
11 KiB
YAML
244 lines
11 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.20.0
|
|
name: credentialissuers.config.concierge.pinniped.dev
|
|
spec:
|
|
group: config.concierge.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
kind: CredentialIssuer
|
|
listKind: CredentialIssuerList
|
|
plural: credentialissuers
|
|
singular: credentialissuer
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.impersonationProxy.mode
|
|
name: ProxyMode
|
|
type: string
|
|
- jsonPath: .status.strategies[?(@.status == "Success")].type
|
|
name: DefaultStrategy
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: CredentialIssuer describes the configuration and status of the
|
|
Pinniped Concierge credential issuer.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec describes the intended configuration of the Concierge.
|
|
properties:
|
|
impersonationProxy:
|
|
description: ImpersonationProxy describes the intended configuration
|
|
of the Concierge impersonation proxy.
|
|
properties:
|
|
externalEndpoint:
|
|
description: |-
|
|
ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
|
|
be served using the external name of the LoadBalancer service or the cluster service DNS name.
|
|
|
|
This field must be non-empty when spec.impersonationProxy.service.type is "None".
|
|
type: string
|
|
mode:
|
|
description: |-
|
|
Mode configures whether the impersonation proxy should be started:
|
|
- "disabled" explicitly disables the impersonation proxy. This is the default.
|
|
- "enabled" explicitly enables the impersonation proxy.
|
|
- "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
|
|
enum:
|
|
- auto
|
|
- enabled
|
|
- disabled
|
|
type: string
|
|
service:
|
|
default:
|
|
type: LoadBalancer
|
|
description: Service describes the configuration of the Service
|
|
provisioned to expose the impersonation proxy to clients.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations specifies zero or more key/value
|
|
pairs to set as annotations on the provisioned Service.
|
|
type: object
|
|
loadBalancerIP:
|
|
description: |-
|
|
LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
|
|
This is not supported on all cloud providers.
|
|
maxLength: 255
|
|
minLength: 1
|
|
type: string
|
|
type:
|
|
default: LoadBalancer
|
|
description: |-
|
|
Type specifies the type of Service to provision for the impersonation proxy.
|
|
|
|
If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
|
|
value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
|
|
enum:
|
|
- LoadBalancer
|
|
- ClusterIP
|
|
- None
|
|
type: string
|
|
type: object
|
|
tls:
|
|
description: |-
|
|
TLS contains information about how the Concierge impersonation proxy should serve TLS.
|
|
|
|
If this field is empty, the impersonation proxy will generate its own TLS certificate.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: |-
|
|
X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
Used to advertise the CA bundle for the impersonation proxy endpoint.
|
|
type: string
|
|
secretName:
|
|
description: |-
|
|
SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
|
|
the TLS serving certificate for the Concierge impersonation proxy endpoint.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- mode
|
|
- service
|
|
type: object
|
|
required:
|
|
- impersonationProxy
|
|
type: object
|
|
status:
|
|
description: CredentialIssuerStatus describes the status of the Concierge.
|
|
properties:
|
|
strategies:
|
|
description: List of integration strategies that were attempted by
|
|
Pinniped.
|
|
items:
|
|
description: CredentialIssuerStrategy describes the status of an
|
|
integration strategy that was attempted by Pinniped.
|
|
properties:
|
|
frontend:
|
|
description: Frontend describes how clients can connect using
|
|
this strategy.
|
|
properties:
|
|
impersonationProxyInfo:
|
|
description: |-
|
|
ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
|
|
This field is only set when Type is "ImpersonationProxy".
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: CertificateAuthorityData is the base64-encoded
|
|
PEM CA bundle of the impersonation proxy.
|
|
minLength: 1
|
|
type: string
|
|
endpoint:
|
|
description: Endpoint is the HTTPS endpoint of the impersonation
|
|
proxy.
|
|
minLength: 1
|
|
pattern: ^https://
|
|
type: string
|
|
required:
|
|
- certificateAuthorityData
|
|
- endpoint
|
|
type: object
|
|
tokenCredentialRequestInfo:
|
|
description: |-
|
|
TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
|
|
This field is only set when Type is "TokenCredentialRequestAPI".
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: CertificateAuthorityData is the base64-encoded
|
|
Kubernetes API server CA bundle.
|
|
minLength: 1
|
|
type: string
|
|
server:
|
|
description: Server is the Kubernetes API server URL.
|
|
minLength: 1
|
|
pattern: ^https://|^http://
|
|
type: string
|
|
required:
|
|
- certificateAuthorityData
|
|
- server
|
|
type: object
|
|
type:
|
|
description: Type describes which frontend mechanism clients
|
|
can use with a strategy.
|
|
enum:
|
|
- TokenCredentialRequestAPI
|
|
- ImpersonationProxy
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
lastUpdateTime:
|
|
description: When the status was last checked.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Human-readable description of the current status.
|
|
minLength: 1
|
|
type: string
|
|
reason:
|
|
description: Reason for the current status.
|
|
enum:
|
|
- Listening
|
|
- Pending
|
|
- Disabled
|
|
- ErrorDuringSetup
|
|
- CouldNotFetchKey
|
|
- CouldNotGetClusterInfo
|
|
- FetchedKey
|
|
type: string
|
|
status:
|
|
description: Status of the attempted integration strategy.
|
|
enum:
|
|
- Success
|
|
- Error
|
|
type: string
|
|
type:
|
|
description: Type of integration attempted.
|
|
enum:
|
|
- KubeClusterSigningCertificate
|
|
- ImpersonationProxy
|
|
type: string
|
|
required:
|
|
- lastUpdateTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
required:
|
|
- strategies
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|