{ "description": "CredentialIssuer describes the configuration and status of the Pinniped Concierge credential issuer.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec describes the intended configuration of the Concierge.", "properties": { "impersonationProxy": { "description": "ImpersonationProxy describes the intended configuration of the Concierge impersonation proxy.", "properties": { "externalEndpoint": { "description": "ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will\nbe served using the external name of the LoadBalancer service or the cluster service DNS name.\n\nThis field must be non-empty when spec.impersonationProxy.service.type is \"None\".", "type": "string" }, "mode": { "description": "Mode configures whether the impersonation proxy should be started:\n- \"disabled\" explicitly disables the impersonation proxy. This is the default.\n- \"enabled\" explicitly enables the impersonation proxy.\n- \"auto\" enables or disables the impersonation proxy based upon the cluster in which it is running.", "enum": [ "auto", "enabled", "disabled" ], "type": "string" }, "service": { "default": { "type": "LoadBalancer" }, "description": "Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations specifies zero or more key/value pairs to set as annotations on the provisioned Service.", "type": "object" }, "loadBalancerIP": { "description": "LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.\nThis is not supported on all cloud providers.", "maxLength": 255, "minLength": 1, "type": "string" }, "type": { "default": "LoadBalancer", "description": "Type specifies the type of Service to provision for the impersonation proxy.\n\nIf the type is \"None\", then the \"spec.impersonationProxy.externalEndpoint\" field must be set to a non-empty\nvalue so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.", "enum": [ "LoadBalancer", "ClusterIP", "None" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "tls": { "description": "TLS contains information about how the Concierge impersonation proxy should serve TLS.\n\nIf this field is empty, the impersonation proxy will generate its own TLS certificate.", "properties": { "certificateAuthorityData": { "description": "X.509 Certificate Authority (base64-encoded PEM bundle).\nUsed to advertise the CA bundle for the impersonation proxy endpoint.", "type": "string" }, "secretName": { "description": "SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains\nthe TLS serving certificate for the Concierge impersonation proxy endpoint.", "minLength": 1, "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "mode", "service" ], "type": "object", "additionalProperties": false } }, "required": [ "impersonationProxy" ], "type": "object", "additionalProperties": false }, "status": { "description": "CredentialIssuerStatus describes the status of the Concierge.", "properties": { "kubeConfigInfo": { "description": "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.\nThis field is deprecated and will be removed in a future version.", "properties": { "certificateAuthorityData": { "description": "The K8s API server CA bundle.", "minLength": 1, "type": "string" }, "server": { "description": "The K8s API server URL.", "minLength": 1, "pattern": "^https://|^http://", "type": "string" } }, "required": [ "certificateAuthorityData", "server" ], "type": "object", "additionalProperties": false }, "strategies": { "description": "List of integration strategies that were attempted by Pinniped.", "items": { "description": "CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.", "properties": { "frontend": { "description": "Frontend describes how clients can connect using this strategy.", "properties": { "impersonationProxyInfo": { "description": "ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.\nThis field is only set when Type is \"ImpersonationProxy\".", "properties": { "certificateAuthorityData": { "description": "CertificateAuthorityData is the base64-encoded PEM CA bundle of the impersonation proxy.", "minLength": 1, "type": "string" }, "endpoint": { "description": "Endpoint is the HTTPS endpoint of the impersonation proxy.", "minLength": 1, "pattern": "^https://", "type": "string" } }, "required": [ "certificateAuthorityData", "endpoint" ], "type": "object", "additionalProperties": false }, "tokenCredentialRequestInfo": { "description": "TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.\nThis field is only set when Type is \"TokenCredentialRequestAPI\".", "properties": { "certificateAuthorityData": { "description": "CertificateAuthorityData is the base64-encoded Kubernetes API server CA bundle.", "minLength": 1, "type": "string" }, "server": { "description": "Server is the Kubernetes API server URL.", "minLength": 1, "pattern": "^https://|^http://", "type": "string" } }, "required": [ "certificateAuthorityData", "server" ], "type": "object", "additionalProperties": false }, "type": { "description": "Type describes which frontend mechanism clients can use with a strategy.", "enum": [ "TokenCredentialRequestAPI", "ImpersonationProxy" ], "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "lastUpdateTime": { "description": "When the status was last checked.", "format": "date-time", "type": "string" }, "message": { "description": "Human-readable description of the current status.", "minLength": 1, "type": "string" }, "reason": { "description": "Reason for the current status.", "enum": [ "Listening", "Pending", "Disabled", "ErrorDuringSetup", "CouldNotFetchKey", "CouldNotGetClusterInfo", "FetchedKey" ], "type": "string" }, "status": { "description": "Status of the attempted integration strategy.", "enum": [ "Success", "Error" ], "type": "string" }, "type": { "description": "Type of integration attempted.", "enum": [ "KubeClusterSigningCertificate", "ImpersonationProxy" ], "type": "string" } }, "required": [ "lastUpdateTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "strategies" ], "type": "object", "additionalProperties": false } }, "type": "object" }