mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-03 11:45:45 +00:00
193 lines
8.7 KiB
YAML
Generated
193 lines
8.7 KiB
YAML
Generated
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
name: jwtauthenticators.authentication.concierge.pinniped.dev
|
|
spec:
|
|
group: authentication.concierge.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-authenticator
|
|
- pinniped-authenticators
|
|
kind: JWTAuthenticator
|
|
listKind: JWTAuthenticatorList
|
|
plural: jwtauthenticators
|
|
singular: jwtauthenticator
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.issuer
|
|
name: Issuer
|
|
type: string
|
|
- jsonPath: .spec.audience
|
|
name: Audience
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
JWTAuthenticator describes the configuration of a JWT authenticator.
|
|
|
|
|
|
Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
|
signature, existence of claims, etc.) and extract the username and groups from the token.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the authenticator.
|
|
properties:
|
|
audience:
|
|
description: Audience is the required value of the "aud" JWT claim.
|
|
minLength: 1
|
|
type: string
|
|
claims:
|
|
description: |-
|
|
Claims allows customization of the claims that will be mapped to user identity
|
|
for Kubernetes access.
|
|
properties:
|
|
groups:
|
|
description: |-
|
|
Groups is the name of the claim which should be read to extract the user's
|
|
group membership from the JWT token. When not specified, it will default to "groups".
|
|
type: string
|
|
username:
|
|
description: |-
|
|
Username is the name of the claim which should be read to extract the
|
|
username from the JWT token. When not specified, it will default to "username".
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: |-
|
|
Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
|
|
also used to validate the "iss" JWT claim.
|
|
minLength: 1
|
|
pattern: ^https://
|
|
type: string
|
|
tls:
|
|
description: TLS configuration for communicating with the OIDC provider.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- audience
|
|
- issuer
|
|
type: object
|
|
status:
|
|
description: Status of the authenticator.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of the authenticator's current
|
|
state.
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource.\n---\nThis struct is intended for
|
|
direct use as an array at the field path .status.conditions. For
|
|
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
|
|
observations of a foo's current state.\n\t // Known .status.conditions.type
|
|
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
|
|
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
|
|
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
|
|
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
|
|
\ // other fields\n\t}"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: |-
|
|
type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
---
|
|
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
|
|
useful (see .node.status.conditions), the ability to deconflict is important.
|
|
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the JWTAuthenticator.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|