{ "description": "WorkloadIdentityV1 is the Schema for the workloadidentitiesv1 API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "WorkloadIdentity resource definition v1 from Teleport", "properties": { "rules": { "description": "The rules which are evaluated before the WorkloadIdentity can be issued.", "nullable": true, "properties": { "allow": { "description": "A list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed.", "items": { "properties": { "conditions": { "description": "The conditions that must be met for this rule to be considered passed. Mutually exclusive with expression.", "items": { "properties": { "attribute": { "description": "The name of the attribute to evaluate the condition against.", "type": "string" }, "eq": { "description": "The attribute casted to a string must be equal to the value.", "nullable": true, "properties": { "value": { "description": "The value to compare the attribute against.", "type": "string" } }, "type": "object", "additionalProperties": false }, "in": { "description": "The attribute casted to a string must be in the list of values.", "nullable": true, "properties": { "values": { "description": "The list of values to compare the attribute against.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false }, "not_eq": { "description": "The attribute casted to a string must not be equal to the value.", "nullable": true, "properties": { "value": { "description": "The value to compare the attribute against.", "type": "string" } }, "type": "object", "additionalProperties": false }, "not_in": { "description": "The attribute casted to a string must not be in the list of values.", "nullable": true, "properties": { "values": { "description": "The list of values to compare the attribute against.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "nullable": true, "type": "array" }, "expression": { "description": "An expression written in Teleport's predicate language that must evaluate to true for this rule to be considered passed. Mutually exclusive with conditions.", "type": "string" } }, "type": "object", "additionalProperties": false }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false }, "spiffe": { "description": "Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials.", "nullable": true, "properties": { "hint": { "description": "A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.", "type": "string" }, "id": { "description": "The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash (\"/\"). This field supports templating using attributes.", "type": "string" }, "jwt": { "description": "Configuration specific to JWT-SVIDs.", "nullable": true, "properties": { "extra_claims": { "additionalProperties": true, "description": "Additional claims that will be added to the JWT.", "nullable": true, "type": "object" }, "maximum_ttl": { "description": "Control the maximum TTL of JWT-SVIDs issued using this WorkloadIdentity. If a JWT-SVID is requested with a TTL greater than this value, then the returned JWT-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 24 hours.", "format": "duration", "type": "string" } }, "type": "object", "additionalProperties": false }, "x509": { "description": "Configuration specific to X509-SVIDs.", "nullable": true, "properties": { "dns_sans": { "description": "The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "maximum_ttl": { "description": "Control the maximum TTL of X509-SVIDs issued using this WorkloadIdentity. If a X509-SVID is requested with a TTL greater than this value, then the returned X509-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 14 days.", "format": "duration", "type": "string" }, "subject_template": { "description": "Used to configure the Subject Distinguished Name (DN) of the X509-SVID. In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE. If not provided, the X509-SVID will be issued with an empty Subject DN.", "nullable": true, "properties": { "common_name": { "description": "Common Name (CN) - 2.5.4.3 If empty, the RDN will be omitted from the DN.", "type": "string" }, "organization": { "description": "Organization (O) - 2.5.4.10 If empty, the RDN will be omitted from the DN.", "type": "string" }, "organizational_unit": { "description": "Organizational Unit (OU) - 2.5.4.11 If empty, the RDN will be omitted from the DN.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "status": { "description": "Status defines the observed state of the Teleport resource", "properties": { "conditions": { "description": "Conditions represent the latest available observations of an object's state", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "teleportResourceID": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object" }