diff --git a/examples/gitops/guestbook/all-in-one.yml b/examples/gitops/guestbook/all-in-one.yml index 4148b54e8..7aeb382ba 100644 --- a/examples/gitops/guestbook/all-in-one.yml +++ b/examples/gitops/guestbook/all-in-one.yml @@ -38,7 +38,7 @@ spec: spec: containers: - name: primary - image: registry.k8s.io/redis:e2e #! or just image: redis + image: registry.k8s.io/redis@sha256:cb111d1bd870a6a471385a4a69ad17469d326e9dd91e0e455350cacf36e1b3ee #! or just image: redis resources: requests: cpu: 120m diff --git a/examples/gitops/redis-with-configmap/redis.yml b/examples/gitops/redis-with-configmap/redis.yml index d852bcefc..8d77ce28d 100644 --- a/examples/gitops/redis-with-configmap/redis.yml +++ b/examples/gitops/redis-with-configmap/redis.yml @@ -19,7 +19,7 @@ metadata: spec: containers: - name: redis - image: registry.k8s.io/redis:e2e + image: registry.k8s.io/redis@sha256:cb111d1bd870a6a471385a4a69ad17469d326e9dd91e0e455350cacf36e1b3ee ports: - containerPort: 6379 resources: diff --git a/examples/pinniped-v0.13.0/README.md b/examples/pinniped-v0.13.0/README.md deleted file mode 100644 index 0612d03bd..000000000 --- a/examples/pinniped-v0.13.0/README.md +++ /dev/null @@ -1,8 +0,0 @@ -Downloaded via - -```bash -ytt \ - -f https://get.pinniped.dev/v0.13.0/install-pinniped-concierge.yaml \ - -f https://get.pinniped.dev/v0.13.0/install-local-user-authenticator.yaml \ - -f https://get.pinniped.dev/v0.13.0/install-pinniped-supervisor.yaml > config.yml -``` diff --git a/examples/pinniped-v0.13.0/config.yml b/examples/pinniped-v0.13.0/config.yml deleted file mode 100644 index 51221d491..000000000 --- a/examples/pinniped-v0.13.0/config.yml +++ /dev/null @@ -1,2155 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: jwtauthenticators.authentication.concierge.pinniped.dev - labels: - app: pinniped-concierge -spec: - group: authentication.concierge.pinniped.dev - names: - categories: - - pinniped - - pinniped-authenticator - - pinniped-authenticators - kind: JWTAuthenticator - listKind: JWTAuthenticatorList - plural: jwtauthenticators - singular: jwtauthenticator - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.issuer - name: Issuer - type: string - - jsonPath: .spec.audience - name: Audience - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec for configuring the authenticator. - properties: - audience: - description: Audience is the required value of the "aud" JWT claim. - minLength: 1 - type: string - claims: - description: Claims allows customization of the claims that will be mapped to user identity for Kubernetes access. - properties: - groups: - description: Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". - type: string - username: - description: Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". - type: string - type: object - issuer: - description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. - minLength: 1 - pattern: ^https:// - type: string - tls: - description: TLS configuration for communicating with the OIDC provider. - properties: - certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. - type: string - type: object - required: - - audience - - issuer - type: object - status: - description: Status of the authenticator. - properties: - conditions: - description: Represents the observations of the authenticator's current state. - items: - description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: webhookauthenticators.authentication.concierge.pinniped.dev - labels: - app: pinniped-concierge -spec: - group: authentication.concierge.pinniped.dev - names: - categories: - - pinniped - - pinniped-authenticator - - pinniped-authenticators - kind: WebhookAuthenticator - listKind: WebhookAuthenticatorList - plural: webhookauthenticators - singular: webhookauthenticator - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: WebhookAuthenticator describes the configuration of a webhook authenticator. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec for configuring the authenticator. - properties: - endpoint: - description: Webhook server endpoint URL. - minLength: 1 - pattern: ^https:// - type: string - tls: - description: TLS configuration. - properties: - certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. - type: string - type: object - required: - - endpoint - type: object - status: - description: Status of the authenticator. - properties: - conditions: - description: Represents the observations of the authenticator's current state. - items: - description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: credentialissuers.config.concierge.pinniped.dev - labels: - app: pinniped-concierge -spec: - group: config.concierge.pinniped.dev - names: - categories: - - pinniped - kind: CredentialIssuer - listKind: CredentialIssuerList - plural: credentialissuers - singular: credentialissuer - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.impersonationProxy.mode - name: ProxyMode - type: string - - jsonPath: .status.strategies[?(@.status == "Success")].type - name: DefaultStrategy - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec describes the intended configuration of the Concierge. - properties: - impersonationProxy: - description: ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. - properties: - externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type is \"None\"." - type: string - mode: - description: 'Mode configures whether the impersonation proxy should be started: - "disabled" explicitly disables the impersonation proxy. This is the default. - "enabled" explicitly enables the impersonation proxy. - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.' - enum: - - auto - - enabled - - disabled - type: string - service: - default: - type: LoadBalancer - description: Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. - properties: - annotations: - additionalProperties: - type: string - description: Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. - type: object - loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. - maxLength: 255 - minLength: 1 - type: string - type: - default: LoadBalancer - description: "Type specifies the type of Service to provision for the impersonation proxy. \n If the type is \"None\", then the \"spec.impersonationProxy.externalEndpoint\" field must be set to a non-empty value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status." - enum: - - LoadBalancer - - ClusterIP - - None - type: string - type: object - required: - - mode - - service - type: object - required: - - impersonationProxy - type: object - status: - description: CredentialIssuerStatus describes the status of the Concierge. - properties: - kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. This field is deprecated and will be removed in a future version. - properties: - certificateAuthorityData: - description: The K8s API server CA bundle. - minLength: 1 - type: string - server: - description: The K8s API server URL. - minLength: 1 - pattern: ^https://|^http:// - type: string - required: - - certificateAuthorityData - - server - type: object - strategies: - description: List of integration strategies that were attempted by Pinniped. - items: - description: CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped. - properties: - frontend: - description: Frontend describes how clients can connect using this strategy. - properties: - impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. This field is only set when Type is "ImpersonationProxy". - properties: - certificateAuthorityData: - description: CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. - minLength: 1 - type: string - endpoint: - description: Endpoint is the HTTPS endpoint of the impersonation proxy. - minLength: 1 - pattern: ^https:// - type: string - required: - - certificateAuthorityData - - endpoint - type: object - tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. This field is only set when Type is "TokenCredentialRequestAPI". - properties: - certificateAuthorityData: - description: CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. - minLength: 1 - type: string - server: - description: Server is the Kubernetes API server URL. - minLength: 1 - pattern: ^https://|^http:// - type: string - required: - - certificateAuthorityData - - server - type: object - type: - description: Type describes which frontend mechanism clients can use with a strategy. - enum: - - TokenCredentialRequestAPI - - ImpersonationProxy - type: string - required: - - type - type: object - lastUpdateTime: - description: When the status was last checked. - format: date-time - type: string - message: - description: Human-readable description of the current status. - minLength: 1 - type: string - reason: - description: Reason for the current status. - enum: - - Listening - - Pending - - Disabled - - ErrorDuringSetup - - CouldNotFetchKey - - CouldNotGetClusterInfo - - FetchedKey - type: string - status: - description: Status of the attempted integration strategy. - enum: - - Success - - Error - type: string - type: - description: Type of integration attempted. - enum: - - KubeClusterSigningCertificate - - ImpersonationProxy - type: string - required: - - lastUpdateTime - - message - - reason - - status - - type - type: object - type: array - required: - - strategies - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pinniped-concierge - labels: - app: pinniped-concierge ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pinniped-concierge - namespace: pinniped-concierge - labels: - app: pinniped-concierge ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pinniped-concierge-kube-cert-agent - namespace: pinniped-concierge - labels: - app: pinniped-concierge ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pinniped-concierge-impersonation-proxy - namespace: pinniped-concierge - labels: - app: pinniped-concierge - annotations: - kapp.k14s.io/change-group: impersonation-proxy.concierge.pinniped.dev/serviceaccount -secrets: -- name: pinniped-concierge-impersonation-proxy ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: pinniped-concierge-config - namespace: pinniped-concierge - labels: - app: pinniped-concierge -data: - pinniped.yaml: "discovery:\n url: null\napi:\n servingCertificate:\n durationSeconds: 2592000\n renewBeforeSeconds: 2160000\napiGroupSuffix: pinniped.dev\n# aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated\n# impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated\nnames:\n servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate\n credentialIssuer: pinniped-concierge-config\n apiService: pinniped-concierge-api\n impersonationLoadBalancerService: pinniped-concierge-impersonation-proxy-load-balancer\n impersonationClusterIPService: pinniped-concierge-impersonation-proxy-cluster-ip\n impersonationTLSCertificateSecret: pinniped-concierge-impersonation-proxy-tls-serving-certificate\n impersonationCACertificateSecret: pinniped-concierge-impersonation-proxy-ca-certificate\n impersonationSignerSecret: pinniped-concierge-impersonation-proxy-signer-ca-certificate\n agentServiceAccount: pinniped-concierge-kube-cert-agent\nlabels: {\"app\":\"pinniped-concierge\"}\nkubeCertAgent:\n namePrefix: pinniped-concierge-kube-cert-agent-\n \n \n image: projects.registry.vmware.com/pinniped/pinniped-server:v0.13.0@sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f\n \n \n \n\n" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pinniped-concierge - namespace: pinniped-concierge - labels: - app: pinniped-concierge -spec: - replicas: 2 - selector: - matchLabels: - app: pinniped-concierge - template: - metadata: - labels: - app: pinniped-concierge - deployment.pinniped.dev: concierge - annotations: - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: - securityContext: - runAsUser: 65532 - runAsGroup: 65532 - serviceAccountName: pinniped-concierge - containers: - - name: pinniped-concierge - image: projects.registry.vmware.com/pinniped/pinniped-server:v0.13.0@sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f - imagePullPolicy: IfNotPresent - securityContext: - readOnlyRootFilesystem: true - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 100m - memory: 128Mi - command: - - pinniped-concierge - - --config=/etc/config/pinniped.yaml - - --downward-api-path=/etc/podinfo - volumeMounts: - - name: tmp - mountPath: /tmp - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: podinfo - mountPath: /etc/podinfo - readOnly: true - - name: impersonation-proxy - mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount - readOnly: true - env: [] - livenessProbe: - httpGet: - path: /healthz - port: 10250 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 15 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 10250 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 3 - volumes: - - name: tmp - emptyDir: - medium: Memory - sizeLimit: 100Mi - - name: config-volume - configMap: - name: pinniped-concierge-config - - name: impersonation-proxy - secret: - secretName: pinniped-concierge-impersonation-proxy - items: - - key: token - path: token - - name: podinfo - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels - - path: name - fieldRef: - fieldPath: metadata.name - - path: namespace - fieldRef: - fieldPath: metadata.namespace - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 50 - podAffinityTerm: - labelSelector: - matchLabels: - deployment.pinniped.dev: concierge - topologyKey: kubernetes.io/hostname ---- -apiVersion: v1 -kind: Service -metadata: - name: pinniped-concierge-api - namespace: pinniped-concierge - labels: - app: pinniped-concierge - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: - deployment.pinniped.dev: concierge - ports: - - protocol: TCP - port: 443 - targetPort: 10250 ---- -apiVersion: v1 -kind: Service -metadata: - name: pinniped-concierge-proxy - namespace: pinniped-concierge - labels: - app: pinniped-concierge - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: - deployment.pinniped.dev: concierge - ports: - - protocol: TCP - port: 443 - targetPort: 8444 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.login.concierge.pinniped.dev - labels: - app: pinniped-concierge -spec: - version: v1alpha1 - group: login.concierge.pinniped.dev - groupPriorityMinimum: 9900 - versionPriority: 15 - service: - name: pinniped-concierge-api - namespace: pinniped-concierge - port: 443 ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.identity.concierge.pinniped.dev - labels: - app: pinniped-concierge -spec: - version: v1alpha1 - group: identity.concierge.pinniped.dev - groupPriorityMinimum: 9900 - versionPriority: 15 - service: - name: pinniped-concierge-api - namespace: pinniped-concierge - port: 443 ---- -apiVersion: config.concierge.pinniped.dev/v1alpha1 -kind: CredentialIssuer -metadata: - name: pinniped-concierge-config - labels: - app: pinniped-concierge -spec: - impersonationProxy: - mode: auto - service: - type: LoadBalancer - annotations: - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000" ---- -apiVersion: v1 -kind: Secret -metadata: - name: pinniped-concierge-impersonation-proxy - namespace: pinniped-concierge - labels: - app: pinniped-concierge - annotations: - kapp.k14s.io/change-rule: upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount - kubernetes.io/service-account.name: pinniped-concierge-impersonation-proxy -type: kubernetes.io/service-account-token ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pinniped-concierge-aggregated-api-server - labels: - app: pinniped-concierge -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch -- apiGroups: - - flowcontrol.apiserver.k8s.io - resources: - - flowschemas - - prioritylevelconfigurations - verbs: - - get - - list - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use - resourceNames: - - nonroot -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - config.concierge.pinniped.dev - resources: - - credentialissuers - verbs: - - get - - list - - watch - - create -- apiGroups: - - config.concierge.pinniped.dev - resources: - - credentialissuers/status - verbs: - - get - - patch - - update -- apiGroups: - - authentication.concierge.pinniped.dev - resources: - - jwtauthenticators - - webhookauthenticators - verbs: - - get - - list - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-aggregated-api-server - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: ClusterRole - name: pinniped-concierge-aggregated-api-server - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pinniped-concierge-impersonation-proxy - labels: - app: pinniped-concierge -rules: -- apiGroups: - - "" - resources: - - users - - groups - - serviceaccounts - verbs: - - impersonate -- apiGroups: - - authentication.k8s.io - resources: - - '*' - verbs: - - impersonate ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-impersonation-proxy - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge-impersonation-proxy - namespace: pinniped-concierge -roleRef: - kind: ClusterRole - name: pinniped-concierge-impersonation-proxy - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pinniped-concierge-kube-cert-agent - namespace: pinniped-concierge - labels: - app: pinniped-concierge -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-kube-cert-agent - namespace: pinniped-concierge - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge-kube-cert-agent - namespace: pinniped-concierge -roleRef: - kind: Role - name: pinniped-concierge-kube-cert-agent - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pinniped-concierge-aggregated-api-server - namespace: pinniped-concierge - labels: - app: pinniped-concierge -rules: -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create -- apiGroups: - - "" - resources: - - pods - verbs: - - delete -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - verbs: - - list - - get - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-aggregated-api-server - namespace: pinniped-concierge - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: Role - name: pinniped-concierge-aggregated-api-server - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pinniped-concierge-kube-system-pod-read - namespace: kube-system - labels: - app: pinniped-concierge -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-kube-system-pod-read - namespace: kube-system - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: Role - name: pinniped-concierge-kube-system-pod-read - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pinniped-concierge-pre-authn-apis - labels: - app: pinniped-concierge -rules: -- apiGroups: - - login.concierge.pinniped.dev - resources: - - tokencredentialrequests - verbs: - - create - - list -- apiGroups: - - identity.concierge.pinniped.dev - resources: - - whoamirequests - verbs: - - create - - list ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-pre-authn-apis - labels: - app: pinniped-concierge -subjects: -- kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io -- kind: Group - name: system:unauthenticated - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: pinniped-concierge-pre-authn-apis - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: ClusterRole - name: system:auth-delegator - apiGroup: rbac.authorization.k8s.io ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-extension-apiserver-authentication-reader - namespace: kube-system - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: Role - name: extension-apiserver-authentication-reader - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-cluster-info-lister-watcher - namespace: kube-public - labels: - app: pinniped-concierge -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-concierge-cluster-info-lister-watcher - namespace: kube-public - labels: - app: pinniped-concierge -subjects: -- kind: ServiceAccount - name: pinniped-concierge - namespace: pinniped-concierge -roleRef: - kind: Role - name: pinniped-concierge-cluster-info-lister-watcher - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: Namespace -metadata: - name: local-user-authenticator - labels: - name: local-user-authenticator ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: local-user-authenticator - namespace: local-user-authenticator ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: local-user-authenticator - namespace: local-user-authenticator - labels: - app: local-user-authenticator -spec: - replicas: 1 - selector: - matchLabels: - app: local-user-authenticator - template: - metadata: - labels: - app: local-user-authenticator - spec: - securityContext: - runAsUser: 65532 - runAsGroup: 65532 - serviceAccountName: local-user-authenticator - containers: - - name: local-user-authenticator - image: projects.registry.vmware.com/pinniped/pinniped-server:v0.13.0@sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f - imagePullPolicy: IfNotPresent - command: - - local-user-authenticator ---- -apiVersion: v1 -kind: Service -metadata: - name: local-user-authenticator - namespace: local-user-authenticator - labels: - app: local-user-authenticator - annotations: - kapp.k14s.io/disable-default-label-scoping-rules: "" -spec: - type: ClusterIP - selector: - app: local-user-authenticator - ports: - - protocol: TCP - port: 443 - targetPort: 8443 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: local-user-authenticator - namespace: local-user-authenticator -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: local-user-authenticator - namespace: local-user-authenticator -subjects: -- kind: ServiceAccount - name: local-user-authenticator - namespace: local-user-authenticator -roleRef: - kind: Role - name: local-user-authenticator - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: federationdomains.config.supervisor.pinniped.dev - labels: - app: pinniped-supervisor -spec: - group: config.supervisor.pinniped.dev - names: - categories: - - pinniped - kind: FederationDomain - listKind: FederationDomainList - plural: federationdomains - singular: federationdomain - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.issuer - name: Issuer - type: string - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: FederationDomain describes the configuration of an OIDC provider. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec of the OIDC provider. - properties: - issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information." - minLength: 1 - type: string - tls: - description: TLS configures how this FederationDomain is served over Transport Layer Security (TLS). - properties: - secretName: - description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. \n Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. \n SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. \n SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. \n When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses." - type: string - type: object - required: - - issuer - type: object - status: - description: Status of the OIDC provider. - properties: - lastUpdateTime: - description: LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get around some undesirable behavior with respect to the empty metav1.Time value (see https://github.com/kubernetes/kubernetes/issues/86811). - format: date-time - type: string - message: - description: Message provides human-readable details about the Status. - type: string - secrets: - description: Secrets contains information about this OIDC Provider's secrets. - properties: - jwks: - description: JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are stored. If it is empty, then the signing/verification keys are either unknown or they don't exist. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for encrypting state parameters is stored. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing state parameters is stored. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for signing tokens is stored. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - type: object - status: - description: Status holds an enum that describes the state of this OIDC Provider. Note that this Status can represent success or failure. - enum: - - Success - - Duplicate - - Invalid - - SameIssuerHostMustUseSameSecret - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pinniped-supervisor - labels: - app: pinniped-supervisor ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pinniped-supervisor - namespace: pinniped-supervisor - labels: - app: pinniped-supervisor ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: pinniped-supervisor-static-config - namespace: pinniped-supervisor - labels: - app: pinniped-supervisor -data: - pinniped.yaml: | - apiGroupSuffix: pinniped.dev - names: - defaultTLSCertificateSecret: pinniped-supervisor-default-tls-certificate - labels: - app: pinniped-supervisor ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pinniped-supervisor - namespace: pinniped-supervisor - labels: - app: pinniped-supervisor -spec: - replicas: 2 - selector: - matchLabels: - app: pinniped-supervisor - template: - metadata: - labels: - app: pinniped-supervisor - deployment.pinniped.dev: supervisor - spec: - securityContext: - runAsUser: 65532 - runAsGroup: 65532 - serviceAccountName: pinniped-supervisor - containers: - - name: pinniped-supervisor - image: projects.registry.vmware.com/pinniped/pinniped-server:v0.13.0@sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f - imagePullPolicy: IfNotPresent - command: - - pinniped-supervisor - - /etc/podinfo - - /etc/config/pinniped.yaml - securityContext: - readOnlyRootFilesystem: true - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 100m - memory: 128Mi - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: podinfo - mountPath: /etc/podinfo - readOnly: true - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - env: [] - livenessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 15 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 2 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 3 - volumes: - - name: config-volume - configMap: - name: pinniped-supervisor-static-config - - name: podinfo - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels - - path: namespace - fieldRef: - fieldPath: metadata.namespace - - path: name - fieldRef: - fieldPath: metadata.name - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 50 - podAffinityTerm: - labelSelector: - matchLabels: - deployment.pinniped.dev: supervisor - topologyKey: kubernetes.io/hostname ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev - labels: - app: pinniped-supervisor -spec: - group: idp.supervisor.pinniped.dev - names: - categories: - - pinniped - - pinniped-idp - - pinniped-idps - kind: ActiveDirectoryIdentityProvider - listKind: ActiveDirectoryIdentityProviderList - plural: activedirectoryidentityproviders - singular: activedirectoryidentityprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.phase - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec for configuring the identity provider. - properties: - bind: - description: Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. - properties: - secretName: - description: SecretName contains the name of a namespace-local Secret object that provides the username and password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. - minLength: 1 - type: string - required: - - secretName - type: object - groupSearch: - description: GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory. - properties: - attributes: - description: Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as the result of the group search. - properties: - groupName: - description: GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", where domain is constructed from the domain components of the group DN. - type: string - type: object - base: - description: Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster. - type: string - filter: - description: Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". This searches nested groups by default. Note that nested group search can be slow for some Active Directory servers. To disable it, you can set the filter to "(&(objectClass=group)(member={})" - type: string - type: object - host: - description: 'Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.' - minLength: 1 - type: string - tls: - description: TLS contains the connection settings for how to establish the connection to the Host. - properties: - certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. - type: string - type: object - userSearch: - description: UserSearch contains the configuration for searching for a user by name in Active Directory. - properties: - attributes: - description: Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as the result of the user search. - properties: - uid: - description: UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely identify the user within this ActiveDirectory provider after a successful authentication. Optional, when empty this defaults to "objectGUID". - type: string - username: - description: Username specifies the name of the attribute in Active Directory entry whose value shall become the username of the user after a successful authentication. Optional, when empty this defaults to "userPrincipalName". - type: string - type: object - base: - description: Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". Optional, when not specified it will be based on the result of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users or to make searches faster. - type: string - filter: - description: Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions). Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. - type: string - type: object - required: - - host - type: object - status: - description: Status of the identity provider. - properties: - conditions: - description: Represents the observations of an identity provider's current state. - items: - description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - phase: - default: Pending - description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider. - enum: - - Pending - - Ready - - Error - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: ldapidentityproviders.idp.supervisor.pinniped.dev - labels: - app: pinniped-supervisor -spec: - group: idp.supervisor.pinniped.dev - names: - categories: - - pinniped - - pinniped-idp - - pinniped-idps - kind: LDAPIdentityProvider - listKind: LDAPIdentityProviderList - plural: ldapidentityproviders - singular: ldapidentityprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.phase - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec for configuring the identity provider. - properties: - bind: - description: Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. - properties: - secretName: - description: SecretName contains the name of a namespace-local Secret object that provides the username and password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. - minLength: 1 - type: string - required: - - secretName - type: object - groupSearch: - description: GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider. - properties: - attributes: - description: Attributes specifies how the group's information should be read from each LDAP entry which was found as the result of the group search. - properties: - groupName: - description: GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). - type: string - type: object - base: - description: Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, the values of Filter and Attributes are ignored. - type: string - filter: - description: Filter is the LDAP search filter which should be applied when searching for groups for a user. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as "member={}". - type: string - type: object - host: - description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' - minLength: 1 - type: string - tls: - description: TLS contains the connection settings for how to establish the connection to the Host. - properties: - certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. - type: string - type: object - userSearch: - description: UserSearch contains the configuration for searching for a user by name in the LDAP provider. - properties: - attributes: - description: Attributes specifies how the user's information should be read from the LDAP entry which was found as the result of the user search. - properties: - uid: - description: UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn". - minLength: 1 - type: string - username: - description: Username specifies the name of the attribute in the LDAP entry whose value shall become the username of the user after a successful authentication. This would typically be the same attribute name used in the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default value of "dn={}" would not work. - minLength: 1 - type: string - type: object - base: - description: Base is the dn (distinguished name) that should be used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - minLength: 1 - type: string - filter: - description: Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the username for which the search is being run. E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see https://ldap.com/ldap-filters. Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. Optional. When not specified, the default will act as if the Filter were specified as the value from Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be explicitly specified, since the default value of "dn={}" would not work. - type: string - type: object - required: - - host - type: object - status: - description: Status of the identity provider. - properties: - conditions: - description: Represents the observations of an identity provider's current state. - items: - description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - phase: - default: Pending - description: Phase summarizes the overall status of the LDAPIdentityProvider. - enum: - - Pending - - Ready - - Error - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: oidcidentityproviders.idp.supervisor.pinniped.dev - labels: - app: pinniped-supervisor -spec: - group: idp.supervisor.pinniped.dev - names: - categories: - - pinniped - - pinniped-idp - - pinniped-idps - kind: OIDCIdentityProvider - listKind: OIDCIdentityProviderList - plural: oidcidentityproviders - singular: oidcidentityprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.issuer - name: Issuer - type: string - - jsonPath: .status.phase - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec for configuring the identity provider. - properties: - authorizationConfig: - description: AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider. - properties: - additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's authorization endpoint for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, then include it here. Also note that most providers also require a certain scope to be requested in order to receive refresh tokens. See the additionalScopes setting for more information about using scopes to request refresh tokens. - items: - description: Parameter is a key/value pair which represents a parameter in an HTTP request. - properties: - name: - description: The name of the parameter. Required. - minLength: 1 - type: string - value: - description: The value of the parameter. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - additionalScopes: - description: 'additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request the following scopes: "openid", "offline_access", "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, or as common patterns used by providers who implement the standard in the ecosystem evolve. By setting this list to anything other than an empty list, you are overriding the default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. If you do not want any of these scopes to be requested, you may set this list to contain only "openid". Some OIDC providers may also require a scope to get access to the user''s group membership, in which case you may wish to include it in this list. Sometimes the scope to request the user''s group membership is called "groups", but unfortunately this is not specified in the OIDC standard. Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See your OIDC provider''s documentation for more information about what scopes are available to request claims. Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be "offline_access". See the documentation of your OIDC provider''s authorization and token endpoints for its requirements for what to include in the request in order to receive a refresh token in the response, if anything. Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider may ignore scopes that it does not understand or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC provider will reject the request when it includes "offline_access" (e.g. GitLab''s OIDC provider).' - items: - type: string - type: array - allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be convenient for users, especially for identities from your OIDC provider which are not intended to represent a human actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. allowPasswordGrant defaults to false. - type: boolean - type: object - claims: - description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. - properties: - groups: - description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. - type: string - username: - description: Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. - type: string - type: object - client: - description: OIDCClient contains OIDC client information to be used used with this OIDC identity provider. - properties: - secretName: - description: SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys "clientID" and "clientSecret". - type: string - required: - - secretName - type: object - issuer: - description: Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration. - minLength: 1 - pattern: ^https:// - type: string - tls: - description: TLS configuration for discovery/JWKS requests to the issuer. - properties: - certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. - type: string - type: object - required: - - client - - issuer - type: object - status: - description: Status of the identity provider. - properties: - conditions: - description: Represents the observations of an identity provider's current state. - items: - description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - phase: - default: Pending - description: Phase summarizes the overall status of the OIDCIdentityProvider. - enum: - - Pending - - Ready - - Error - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pinniped-supervisor - namespace: pinniped-supervisor - labels: - app: pinniped-supervisor -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - config.supervisor.pinniped.dev - resources: - - federationdomains - verbs: - - get - - list - - watch -- apiGroups: - - config.supervisor.pinniped.dev - resources: - - federationdomains/status - verbs: - - get - - patch - - update -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - oidcidentityproviders - verbs: - - get - - list - - watch -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - oidcidentityproviders/status - verbs: - - get - - patch - - update -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - ldapidentityproviders - verbs: - - get - - list - - watch -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - ldapidentityproviders/status - verbs: - - get - - patch - - update -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - activedirectoryidentityproviders - verbs: - - get - - list - - watch -- apiGroups: - - idp.supervisor.pinniped.dev - resources: - - activedirectoryidentityproviders/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - - deployments - verbs: - - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pinniped-supervisor - namespace: pinniped-supervisor - labels: - app: pinniped-supervisor -subjects: -- kind: ServiceAccount - name: pinniped-supervisor - namespace: pinniped-supervisor -roleRef: - kind: Role - name: pinniped-supervisor - apiGroup: rbac.authorization.k8s.io diff --git a/examples/pinniped-v0.32.0/README.md b/examples/pinniped-v0.32.0/README.md new file mode 100644 index 000000000..b69a66e10 --- /dev/null +++ b/examples/pinniped-v0.32.0/README.md @@ -0,0 +1,8 @@ +Downloaded via + +```bash +ytt \ + -f https://get.pinniped.dev/v0.32.0/install-pinniped-concierge.yaml \ + -f https://get.pinniped.dev/v0.32.0/install-local-user-authenticator.yaml \ + -f https://get.pinniped.dev/v0.32.0/install-pinniped-supervisor.yaml > config.yml +``` diff --git a/examples/pinniped-v0.32.0/config.yml b/examples/pinniped-v0.32.0/config.yml new file mode 100644 index 000000000..08515e9ce --- /dev/null +++ b/examples/pinniped-v0.32.0/config.yml @@ -0,0 +1,3715 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: jwtauthenticators.authentication.concierge.pinniped.dev + labels: + app: pinniped-concierge +spec: + group: authentication.concierge.pinniped.dev + names: + categories: + - pinniped + - pinniped-authenticator + - pinniped-authenticators + kind: JWTAuthenticator + listKind: JWTAuthenticatorList + plural: jwtauthenticators + singular: jwtauthenticator + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .spec.audience + name: Audience + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the authenticator. + properties: + audience: + description: Audience is the required value of the "aud" JWT claim. + minLength: 1 + type: string + claims: + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. + properties: + groups: + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". + type: string + username: + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". + type: string + type: object + issuer: + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for communicating with the OIDC provider. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - audience + - issuer + type: object + status: + description: Status of the authenticator. + properties: + conditions: + description: Represents the observations of the authenticator's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the JWTAuthenticator. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: webhookauthenticators.authentication.concierge.pinniped.dev + labels: + app: pinniped-concierge +spec: + group: authentication.concierge.pinniped.dev + names: + categories: + - pinniped + - pinniped-authenticator + - pinniped-authenticators + kind: WebhookAuthenticator + listKind: WebhookAuthenticatorList + plural: webhookauthenticators + singular: webhookauthenticator + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookAuthenticator describes the configuration of a webhook authenticator. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the authenticator. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the authenticator. + properties: + conditions: + description: Represents the observations of the authenticator's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the WebhookAuthenticator. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: credentialissuers.config.concierge.pinniped.dev + labels: + app: pinniped-concierge +spec: + group: config.concierge.pinniped.dev + names: + categories: + - pinniped + kind: CredentialIssuer + listKind: CredentialIssuerList + plural: credentialissuers + singular: credentialissuer + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.impersonationProxy.mode + name: ProxyMode + type: string + - jsonPath: .status.strategies[?(@.status == "Success")].type + name: DefaultStrategy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec describes the intended configuration of the Concierge. + properties: + impersonationProxy: + description: ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy. + properties: + externalEndpoint: + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". + type: string + mode: + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. + enum: + - auto + - enabled + - disabled + type: string + service: + default: + type: LoadBalancer + description: Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. + properties: + annotations: + additionalProperties: + type: string + description: Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service. + type: object + loadBalancerIP: + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. + This is not supported on all cloud providers. + maxLength: 255 + minLength: 1 + type: string + type: + default: LoadBalancer + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. + enum: + - LoadBalancer + - ClusterIP + - None + type: string + type: object + tls: + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. + properties: + certificateAuthorityData: + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. + type: string + secretName: + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. + minLength: 1 + type: string + type: object + required: + - mode + - service + type: object + required: + - impersonationProxy + type: object + status: + description: CredentialIssuerStatus describes the status of the Concierge. + properties: + kubeConfigInfo: + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. + properties: + certificateAuthorityData: + description: The K8s API server CA bundle. + minLength: 1 + type: string + server: + description: The K8s API server URL. + minLength: 1 + pattern: ^https://|^http:// + type: string + required: + - certificateAuthorityData + - server + type: object + strategies: + description: List of integration strategies that were attempted by Pinniped. + items: + description: CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped. + properties: + frontend: + description: Frontend describes how clients can connect using this strategy. + properties: + impersonationProxyInfo: + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". + properties: + certificateAuthorityData: + description: CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy. + minLength: 1 + type: string + endpoint: + description: Endpoint is the HTTPS endpoint of the impersonation proxy. + minLength: 1 + pattern: ^https:// + type: string + required: + - certificateAuthorityData + - endpoint + type: object + tokenCredentialRequestInfo: + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". + properties: + certificateAuthorityData: + description: CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle. + minLength: 1 + type: string + server: + description: Server is the Kubernetes API server URL. + minLength: 1 + pattern: ^https://|^http:// + type: string + required: + - certificateAuthorityData + - server + type: object + type: + description: Type describes which frontend mechanism clients can use with a strategy. + enum: + - TokenCredentialRequestAPI + - ImpersonationProxy + type: string + required: + - type + type: object + lastUpdateTime: + description: When the status was last checked. + format: date-time + type: string + message: + description: Human-readable description of the current status. + minLength: 1 + type: string + reason: + description: Reason for the current status. + enum: + - Listening + - Pending + - Disabled + - ErrorDuringSetup + - CouldNotFetchKey + - CouldNotGetClusterInfo + - FetchedKey + type: string + status: + description: Status of the attempted integration strategy. + enum: + - Success + - Error + type: string + type: + description: Type of integration attempted. + enum: + - KubeClusterSigningCertificate + - ImpersonationProxy + type: string + required: + - lastUpdateTime + - message + - reason + - status + - type + type: object + type: array + required: + - strategies + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pinniped-concierge + labels: + app: pinniped-concierge + pod-security.kubernetes.io/enforce: privileged +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pinniped-concierge + namespace: pinniped-concierge + labels: + app: pinniped-concierge +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pinniped-concierge-kube-cert-agent + namespace: pinniped-concierge + labels: + app: pinniped-concierge +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pinniped-concierge-impersonation-proxy + namespace: pinniped-concierge + labels: + app: pinniped-concierge + annotations: + kapp.k14s.io/change-group: impersonation-proxy.concierge.pinniped.dev/serviceaccount + kubernetes.io/enforce-mountable-secrets: "true" +secrets: [] +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pinniped-concierge-config + namespace: pinniped-concierge + labels: + app: pinniped-concierge +data: + pinniped.yaml: "discovery:\n url: null\napi:\n servingCertificate:\n durationSeconds: 2592000\n renewBeforeSeconds: 2160000\napiGroupSuffix: pinniped.dev\n# aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated\n# impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated\nnames:\n servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate\n credentialIssuer: pinniped-concierge-config\n apiService: pinniped-concierge-api\n impersonationLoadBalancerService: pinniped-concierge-impersonation-proxy-load-balancer\n impersonationClusterIPService: pinniped-concierge-impersonation-proxy-cluster-ip\n impersonationTLSCertificateSecret: pinniped-concierge-impersonation-proxy-tls-serving-certificate\n impersonationCACertificateSecret: pinniped-concierge-impersonation-proxy-ca-certificate\n impersonationSignerSecret: pinniped-concierge-impersonation-proxy-signer-ca-certificate\n agentServiceAccount: pinniped-concierge-kube-cert-agent\n impersonationProxyServiceAccount: pinniped-concierge-impersonation-proxy\n impersonationProxyLegacySecret: pinniped-concierge-impersonation-proxy\nlabels: {\"app\":\"pinniped-concierge\"}\nkubeCertAgent:\n namePrefix: pinniped-concierge-kube-cert-agent-\n \n \n image: ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0@sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35\n \n \n \n\ntls:\n onedottwo:\n allowedCiphers: []\n" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pinniped-concierge + namespace: pinniped-concierge + labels: + app: pinniped-concierge +spec: + replicas: 2 + selector: + matchLabels: + app: pinniped-concierge + template: + metadata: + labels: + app: pinniped-concierge + deployment.pinniped.dev: concierge + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + serviceAccountName: pinniped-concierge + containers: + - name: pinniped-concierge + image: ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0@sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35 + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + command: + - pinniped-concierge + - --config=/etc/config/pinniped.yaml + - --downward-api-path=/etc/podinfo + volumeMounts: + - name: tmp + mountPath: /tmp + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + readOnly: true + env: [] + livenessProbe: + httpGet: + path: /healthz + port: 10250 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 15 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: 10250 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: tmp + emptyDir: + medium: Memory + sizeLimit: 100Mi + - name: config-volume + configMap: + name: pinniped-concierge-config + - name: podinfo + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels + - path: name + fieldRef: + fieldPath: metadata.name + - path: namespace + fieldRef: + fieldPath: metadata.namespace + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: amd64 + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: arm64 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchLabels: + deployment.pinniped.dev: concierge + topologyKey: kubernetes.io/hostname +--- +apiVersion: v1 +kind: Service +metadata: + name: pinniped-concierge-api + namespace: pinniped-concierge + labels: + app: pinniped-concierge + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: + deployment.pinniped.dev: concierge + ports: + - protocol: TCP + port: 443 + targetPort: 10250 +--- +apiVersion: v1 +kind: Service +metadata: + name: pinniped-concierge-proxy + namespace: pinniped-concierge + labels: + app: pinniped-concierge + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: + deployment.pinniped.dev: concierge + ports: + - protocol: TCP + port: 443 + targetPort: 8444 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.login.concierge.pinniped.dev + labels: + app: pinniped-concierge +spec: + version: v1alpha1 + group: login.concierge.pinniped.dev + groupPriorityMinimum: 9900 + versionPriority: 15 + service: + name: pinniped-concierge-api + namespace: pinniped-concierge + port: 443 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.identity.concierge.pinniped.dev + labels: + app: pinniped-concierge +spec: + version: v1alpha1 + group: identity.concierge.pinniped.dev + groupPriorityMinimum: 9900 + versionPriority: 15 + service: + name: pinniped-concierge-api + namespace: pinniped-concierge + port: 443 +--- +apiVersion: config.concierge.pinniped.dev/v1alpha1 +kind: CredentialIssuer +metadata: + name: pinniped-concierge-config + labels: + app: pinniped-concierge +spec: + impersonationProxy: + mode: auto + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pinniped-concierge-aggregated-api-server + labels: + app: pinniped-concierge +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + - validatingadmissionpolicies + - validatingadmissionpolicybindings + verbs: + - get + - list + - watch +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - get + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use + resourceNames: + - nonroot +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - config.concierge.pinniped.dev + resources: + - credentialissuers + verbs: + - get + - list + - watch + - create +- apiGroups: + - config.concierge.pinniped.dev + resources: + - credentialissuers/status + verbs: + - get + - patch + - update +- apiGroups: + - authentication.concierge.pinniped.dev + resources: + - jwtauthenticators + - webhookauthenticators + verbs: + - get + - list + - watch +- apiGroups: + - authentication.concierge.pinniped.dev + resources: + - jwtauthenticators/status + - webhookauthenticators/status + verbs: + - get + - list + - watch + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-aggregated-api-server + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: ClusterRole + name: pinniped-concierge-aggregated-api-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pinniped-concierge-impersonation-proxy + labels: + app: pinniped-concierge +rules: +- apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - authentication.k8s.io + resources: + - '*' + verbs: + - impersonate +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-impersonation-proxy + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge-impersonation-proxy + namespace: pinniped-concierge +roleRef: + kind: ClusterRole + name: pinniped-concierge-impersonation-proxy + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pinniped-concierge-kube-cert-agent + namespace: pinniped-concierge + labels: + app: pinniped-concierge +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-kube-cert-agent + namespace: pinniped-concierge + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge-kube-cert-agent + namespace: pinniped-concierge +roleRef: + kind: Role + name: pinniped-concierge-kube-cert-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pinniped-concierge-aggregated-api-server + namespace: pinniped-concierge + labels: + app: pinniped-concierge +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - patch + - update + - watch + - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - update + - watch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - delete +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - patch + - update + - watch + - delete +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - get + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-aggregated-api-server + namespace: pinniped-concierge + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: Role + name: pinniped-concierge-aggregated-api-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pinniped-concierge-kube-system-pod-read + namespace: kube-system + labels: + app: pinniped-concierge +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-kube-system-pod-read + namespace: kube-system + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: Role + name: pinniped-concierge-kube-system-pod-read + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pinniped-concierge-pre-authn-apis + labels: + app: pinniped-concierge +rules: +- apiGroups: + - login.concierge.pinniped.dev + resources: + - tokencredentialrequests + verbs: + - create + - list +- apiGroups: + - identity.concierge.pinniped.dev + resources: + - whoamirequests + verbs: + - create + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-pre-authn-apis + labels: + app: pinniped-concierge +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:unauthenticated + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: pinniped-concierge-pre-authn-apis + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: ClusterRole + name: system:auth-delegator + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-extension-apiserver-authentication-reader + namespace: kube-system + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: Role + name: extension-apiserver-authentication-reader + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-cluster-info-lister-watcher + namespace: kube-public + labels: + app: pinniped-concierge +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-concierge-cluster-info-lister-watcher + namespace: kube-public + labels: + app: pinniped-concierge +subjects: +- kind: ServiceAccount + name: pinniped-concierge + namespace: pinniped-concierge +roleRef: + kind: Role + name: pinniped-concierge-cluster-info-lister-watcher + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: Namespace +metadata: + name: local-user-authenticator + labels: + name: local-user-authenticator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-user-authenticator + namespace: local-user-authenticator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: local-user-authenticator + namespace: local-user-authenticator + labels: + app: local-user-authenticator +spec: + replicas: 1 + selector: + matchLabels: + app: local-user-authenticator + template: + metadata: + labels: + app: local-user-authenticator + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + serviceAccountName: local-user-authenticator + containers: + - name: local-user-authenticator + image: ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0@sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35 + imagePullPolicy: IfNotPresent + command: + - local-user-authenticator + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + tolerations: + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: amd64 + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: arm64 +--- +apiVersion: v1 +kind: Service +metadata: + name: local-user-authenticator + namespace: local-user-authenticator + labels: + app: local-user-authenticator + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: + app: local-user-authenticator + ports: + - protocol: TCP + port: 443 + targetPort: 8443 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: local-user-authenticator + namespace: local-user-authenticator +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - update + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: local-user-authenticator + namespace: local-user-authenticator +subjects: +- kind: ServiceAccount + name: local-user-authenticator + namespace: local-user-authenticator +roleRef: + kind: Role + name: local-user-authenticator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: federationdomains.config.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: FederationDomain + listKind: FederationDomainList + plural: federationdomains + singular: federationdomain + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: FederationDomain describes the configuration of an OIDC provider. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec of the OIDC provider. + properties: + identityProviders: + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. + items: + description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. + properties: + displayName: + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. + minLength: 1 + type: string + objectRef: + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + transforms: + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. + properties: + constants: + description: Constants defines constant variables and their values which will be made available to the transform expressions. + items: + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. + properties: + name: + description: Name determines the name of the constant. It must be a valid identifier name. + maxLength: 64 + minLength: 1 + pattern: ^[a-zA-Z][_a-zA-Z0-9]*$ + type: string + stringListValue: + description: StringListValue should hold the value when Type is "stringList", and is otherwise ignored. + items: + type: string + type: array + stringValue: + description: StringValue should hold the value when Type is "string", and is otherwise ignored. + type: string + type: + description: Type determines the type of the constant, and indicates which other field should be non-empty. + enum: + - string + - stringList + type: string + required: + - name + - type + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + examples: + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. + items: + description: FederationDomainTransformsExample defines a transform example. + properties: + expects: + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. + properties: + groups: + description: Groups is the expected list of group names after the transformations have been applied. + items: + type: string + type: array + message: + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. + type: string + rejected: + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected + by any policy expression. + type: boolean + username: + description: Username is the expected username after the transformations have been applied. + type: string + type: object + groups: + description: Groups is the input list of group names. + items: + type: string + type: array + username: + description: Username is the input username. + minLength: 1 + type: string + required: + - expects + - username + type: object + type: array + expressions: + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. + items: + description: FederationDomainTransformsExpression defines a transform expression. + properties: + expression: + description: Expression is a CEL expression that will be evaluated based on the Type during an authentication. + minLength: 1 + type: string + message: + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. + type: string + type: + description: Type determines the type of the expression. It must be one of the supported types. + enum: + - policy/v1 + - username/v1 + - groups/v1 + type: string + required: + - expression + - type + type: object + type: array + type: object + required: + - displayName + - objectRef + type: object + type: array + issuer: + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. + minLength: 1 + type: string + tls: + description: TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain. + properties: + secretName: + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + type: string + type: object + required: + - issuer + type: object + status: + description: Status of the OIDC provider. + properties: + conditions: + description: Conditions represent the observations of an FederationDomain's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the FederationDomain. + enum: + - Pending + - Ready + - Error + type: string + secrets: + description: Secrets contains information about this OIDC Provider's secrets. + properties: + jwks: + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + stateEncryptionKey: + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + stateSigningKey: + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + tokenSigningKey: + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: oidcclients.config.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: config.supervisor.pinniped.dev + names: + categories: + - pinniped + kind: OIDCClient + listKind: OIDCClientList + plural: oidcclients + singular: oidcclient + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")] + name: Privileged Scopes + type: string + - jsonPath: .status.totalClientSecrets + name: Client Secrets + type: integer + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCClient describes the configuration of an OIDC client. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + properties: + name: + pattern: ^client\.oauth\.pinniped\.dev- + type: string + spec: + description: Spec of the OIDC client. + properties: + allowedGrantTypes: + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. + items: + enum: + - authorization_code + - refresh_token + - urn:ietf:params:oauth:grant-type:token-exchange + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + allowedRedirectURIs: + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. + items: + pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + allowedScopes: + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. + items: + enum: + - openid + - offline_access + - username + - groups + - pinniped:request-audience + type: string + minItems: 1 + type: array + x-kubernetes-list-type: set + tokenLifetimes: + description: tokenLifetimes are the optional overrides of token lifetimes for an OIDCClient. + properties: + idTokenSeconds: + description: |- + idTokenSeconds is the lifetime of ID tokens issued to this client, in seconds. This will choose the lifetime of + ID tokens returned by the authorization flow and the refresh grant. It will not influence the lifetime of the ID + tokens returned by RFC8693 token exchange. When null, a short-lived default value will be used. + This value must be between 120 and 1,800 seconds (30 minutes), inclusive. It is recommended to make these tokens + short-lived to force the client to perform the refresh grant often, because the refresh grant will check with the + external identity provider to decide if it is acceptable for the end user to continue their session, and will + update the end user's group memberships from the external identity provider. Giving these tokens a long life is + will allow the end user to continue to use a token while avoiding these updates from the external identity + provider. However, some web applications may have reasons specific to the design of that application to prefer + longer lifetimes. + format: int32 + maximum: 1800 + minimum: 120 + type: integer + type: object + required: + - allowedGrantTypes + - allowedRedirectURIs + - allowedScopes + type: object + status: + description: Status of the OIDC client. + properties: + conditions: + description: conditions represent the observations of an OIDCClient's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: phase summarizes the overall status of the OIDCClient. + enum: + - Pending + - Ready + - Error + type: string + totalClientSecrets: + description: totalClientSecrets is the current number of client secrets that are detected for this OIDCClient. + format: int32 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pinniped-supervisor + labels: + app: pinniped-supervisor +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pinniped-supervisor + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pinniped-supervisor-static-config + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor +data: + pinniped.yaml: | + apiGroupSuffix: pinniped.dev + names: + defaultTLSCertificateSecret: pinniped-supervisor-default-tls-certificate + apiService: pinniped-supervisor-api + labels: + app: pinniped-supervisor + tls: + onedottwo: + allowedCiphers: [] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pinniped-supervisor + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor +spec: + replicas: 2 + selector: + matchLabels: + app: pinniped-supervisor + template: + metadata: + labels: + app: pinniped-supervisor + deployment.pinniped.dev: supervisor + spec: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + serviceAccountName: pinniped-supervisor + containers: + - name: pinniped-supervisor + image: ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0@sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35 + imagePullPolicy: IfNotPresent + command: + - pinniped-supervisor + - /etc/podinfo + - /etc/config/pinniped.yaml + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1000m + memory: 128Mi + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + readOnly: true + ports: + - containerPort: 8443 + protocol: TCP + env: [] + livenessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 15 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 2 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 3 + volumes: + - name: config-volume + configMap: + name: pinniped-supervisor-static-config + - name: podinfo + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels + - path: namespace + fieldRef: + fieldPath: metadata.namespace + - path: name + fieldRef: + fieldPath: metadata.name + tolerations: + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: amd64 + - key: kubernetes.io/arch + effect: NoSchedule + operator: Equal + value: arm64 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + podAffinityTerm: + labelSelector: + matchLabels: + deployment.pinniped.dev: supervisor + topologyKey: kubernetes.io/hostname +--- +apiVersion: v1 +kind: Service +metadata: + name: pinniped-supervisor-api + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" +spec: + type: ClusterIP + selector: + deployment.pinniped.dev: supervisor + ports: + - protocol: TCP + port: 443 + targetPort: 10250 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.clientsecret.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + version: v1alpha1 + group: clientsecret.supervisor.pinniped.dev + groupPriorityMinimum: 9900 + versionPriority: 15 + service: + name: pinniped-supervisor-api + namespace: pinniped-supervisor + port: 443 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: ActiveDirectoryIdentityProvider + listKind: ActiveDirectoryIdentityProviderList + plural: activedirectoryidentityproviders + singular: activedirectoryidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + bind: + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. + minLength: 1 + type: string + required: + - secretName + type: object + groupSearch: + description: GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory. + properties: + attributes: + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. + properties: + groupName: + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. + type: string + type: object + base: + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + The default behavior searches your entire domain for groups. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. + type: string + filter: + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" + type: string + skipGroupRefresh: + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. + type: boolean + userAttributeForFilter: + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + type: string + type: object + host: + description: 'Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.' + minLength: 1 + type: string + tls: + description: TLS contains the connection settings for how to establish the connection to the Host. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + userSearch: + description: UserSearch contains the configuration for searching for a user by name in Active Directory. + properties: + attributes: + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. + properties: + uid: + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". + type: string + username: + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". + type: string + type: object + base: + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + The default behavior searches your entire domain for users. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. + type: string + filter: + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. + type: string + type: object + required: + - host + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + default: {} + description: Claims allows customization of the username and groups claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API ("github.com"). + Do not specify a protocol or scheme since "https://" will always be used. + Port is optional. Do not specify a path, query, fragment, or userinfo. + Only domain name or IP address, subdomains (optional), and port (optional). + IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address + in square brackets. Example: "[::1]:443". + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity provider's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: ldapidentityproviders.idp.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: LDAPIdentityProvider + listKind: LDAPIdentityProviderList + plural: ldapidentityproviders + singular: ldapidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + bind: + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. + minLength: 1 + type: string + required: + - secretName + type: object + groupSearch: + description: GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider. + properties: + attributes: + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. + properties: + groupName: + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). + type: string + type: object + base: + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. + type: string + filter: + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + For more information about LDAP filters, see https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". + type: string + skipGroupRefresh: + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. + type: boolean + userAttributeForFilter: + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. + type: string + type: object + host: + description: 'Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.' + minLength: 1 + type: string + tls: + description: TLS contains the connection settings for how to establish the connection to the Host. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + userSearch: + description: UserSearch contains the configuration for searching for a user by name in the LDAP provider. + properties: + attributes: + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. + properties: + uid: + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". + minLength: 1 + type: string + username: + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. + minLength: 1 + type: string + type: object + base: + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + minLength: 1 + type: string + filter: + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. + type: string + type: object + required: + - host + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the LDAPIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: oidcidentityproviders.idp.supervisor.pinniped.dev + labels: + app: pinniped-supervisor +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: OIDCIdentityProvider + listKind: OIDCIdentityProviderList + plural: oidcidentityproviders + singular: oidcidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + authorizationConfig: + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. + properties: + additionalAuthorizeParameters: + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. + items: + description: Parameter is a key/value pair which represents a parameter in an HTTP request. + properties: + name: + description: The name of the parameter. Required. + minLength: 1 + type: string + value: + description: The value of the parameter. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + additionalScopes: + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). + items: + type: string + type: array + allowPasswordGrant: + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. + type: boolean + type: object + claims: + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. + properties: + additionalClaimMappings: + additionalProperties: + type: string + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. + type: object + groups: + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. + type: string + username: + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. + type: string + type: object + client: + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + issuer: + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for discovery/JWKS requests to the issuer. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - client + - issuer + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's current state. + items: + description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the OIDCIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pinniped-supervisor + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - update + - watch + - delete +- apiGroups: + - config.supervisor.pinniped.dev + resources: + - federationdomains + verbs: + - get + - list + - watch +- apiGroups: + - config.supervisor.pinniped.dev + resources: + - federationdomains/status + verbs: + - get + - patch + - update +- apiGroups: + - config.supervisor.pinniped.dev + resources: + - oidcclients + verbs: + - get + - list + - watch +- apiGroups: + - config.supervisor.pinniped.dev + resources: + - oidcclients/status + verbs: + - get + - patch + - update +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - oidcidentityproviders + verbs: + - get + - list + - watch +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - oidcidentityproviders/status + verbs: + - get + - patch + - update +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - ldapidentityproviders + verbs: + - get + - list + - watch +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - ldapidentityproviders/status + verbs: + - get + - patch + - update +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - activedirectoryidentityproviders + verbs: + - get + - list + - watch +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - activedirectoryidentityproviders/status + verbs: + - get + - patch + - update +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - githubidentityproviders + verbs: + - get + - list + - watch +- apiGroups: + - idp.supervisor.pinniped.dev + resources: + - githubidentityproviders/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-supervisor + namespace: pinniped-supervisor + labels: + app: pinniped-supervisor +subjects: +- kind: ServiceAccount + name: pinniped-supervisor + namespace: pinniped-supervisor +roleRef: + kind: Role + name: pinniped-supervisor + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-supervisor-extension-apiserver-authentication-reader + namespace: kube-system + labels: + app: pinniped-supervisor +subjects: +- kind: ServiceAccount + name: pinniped-supervisor + namespace: pinniped-supervisor +roleRef: + kind: Role + name: extension-apiserver-authentication-reader + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-supervisor + labels: + app: pinniped-supervisor +subjects: +- kind: ServiceAccount + name: pinniped-supervisor + namespace: pinniped-supervisor +roleRef: + kind: ClusterRole + name: system:auth-delegator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pinniped-supervisor-aggregated-api-server + labels: + app: pinniped-supervisor +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + - validatingadmissionpolicies + - validatingadmissionpolicybindings + verbs: + - get + - list + - watch +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - get + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pinniped-supervisor-aggregated-api-server + labels: + app: pinniped-supervisor +subjects: +- kind: ServiceAccount + name: pinniped-supervisor + namespace: pinniped-supervisor +roleRef: + kind: ClusterRole + name: pinniped-supervisor-aggregated-api-server + apiGroup: rbac.authorization.k8s.io diff --git a/hack/test-external.sh b/hack/test-external.sh index e06222489..f38d060c4 100755 --- a/hack/test-external.sh +++ b/hack/test-external.sh @@ -22,7 +22,7 @@ time kapp delete -y -a cert-manager time kapp deploy -y -a gk -f examples/gatekeeper-v3.10.0/config.yml time kapp delete -y -a gk -time kapp deploy -y -a pinniped -f examples/pinniped-v0.13.0/ +time kapp deploy -y -a pinniped -f examples/pinniped-v0.32.0/ time kapp delete -y -a pinniped pkill -9 'minikube'