mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
d99563c85c0a842e9ca3cb6858974c342e1a4617
pinniped/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
Ryan Richard b2747a0ebe bump deps to kube 1.35 with new codegen
2025-12-18 13:20:41 -08:00

325 lines
18 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: LDAPIdentityProvider
listKind: LDAPIdentityProviderList
plural: ldapidentityproviders
singular: ldapidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
Protocol (LDAP) identity provider.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
bind:
description: |-
Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the username and
password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
The password must be non-empty.
minLength: 1
type: string
required:
- secretName
type: object
groupSearch:
description: GroupSearch contains the configuration for searching
for a user's group membership in the LDAP provider.
properties:
attributes:
description: |-
Attributes specifies how the group's information should be read from each LDAP entry which was found as
the result of the group search.
properties:
groupName:
description: |-
GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
in the user's list of groups after a successful authentication.
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
type: string
type: object
base:
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
"ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
type: string
filter:
description: |-
Filter is the LDAP search filter which should be applied when searching for groups for a user.
The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
value of an attribute of the user entry found as a result of the user search. Which attribute's
value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will act as if the Filter were specified as "member={}".
type: string
skipGroupRefresh:
description: |-
The user's group membership is refreshed as they interact with the supervisor
to obtain new credentials (as their old credentials expire). This allows group
membership changes to be quickly reflected into Kubernetes clusters. Since
group membership is often used to bind authorization policies, it is important
to keep the groups observed in Kubernetes clusters in-sync with the identity
provider.
In some environments, frequent group membership queries may result in a
significant performance impact on the identity provider and/or the supervisor.
The best approach to handle performance impacts is to tweak the group query
to be more performant, for example by disabling nested group search or by
using a more targeted group search base.
If the group search query cannot be made performant and you are willing to
have group memberships remain static for approximately a day, then set
skipGroupRefresh to true. This is an insecure configuration as authorization
policies that are bound to group membership will not notice if a user has
been removed from a particular group until their next login.
This is an experimental feature that may be removed or significantly altered
in the future. Consumers of this configuration should carefully read all
release notes before upgrading to ensure that the meaning of this field has
not changed.
type: boolean
userAttributeForFilter:
description: |-
UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
For example, specifying "uid" as the UserAttributeForFilter while specifying
"&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object
host:
description: 'Host is the hostname of this LDAP identity provider,
i.e., where to connect. For example: ldap.example.com:636.'
minLength: 1
type: string
tls:
description: TLS contains the connection settings for how to establish
the connection to the Host.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for
a user by name in the LDAP provider.
properties:
attributes:
description: |-
Attributes specifies how the user's information should be read from the LDAP entry which was found as
the result of the user search.
properties:
uid:
description: |-
UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
minLength: 1
type: string
username:
description: |-
Username specifies the name of the attribute in the LDAP entry whose value shall become the username
of the user after a successful authentication. This would typically be the same attribute name used in
the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
value of "dn={}" would not work.
minLength: 1
type: string
type: object
base:
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for users.
E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: |-
Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
in the filter at least once and will be dynamically replaced by the username for which the search is being run.
E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will act as if the Filter were specified as the value from
Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
explicitly specified, since the default value of "dn={}" would not work.
type: string
type: object
required:
- host
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's
current state.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the LDAPIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
Reference in New Issue View Git Blame Copy Permalink