306 lines
19 KiB
YAML
306 lines
19 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
app.kubernetes.io/name: airlock-microgateway-operator
|
|
app.kubernetes.io/version: 4.3.0
|
|
name: oidcproviders.microgateway.airlock.com
|
|
spec:
|
|
group: microgateway.airlock.com
|
|
names:
|
|
categories:
|
|
- airlock-microgateway
|
|
kind: OIDCProvider
|
|
listKind: OIDCProviderList
|
|
plural: oidcproviders
|
|
singular: oidcprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
OIDCProvider specifies an OpenID Provider (OP).
|
|
|
|
|
|
{{% notice warning %}} The OIDC feature is currently in an experimental state.
|
|
|
|
|
|
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
|
|
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
|
|
- The state parameter is guessable.
|
|
- Sessions are always shared across all Microgateway Engines using the same Redis instance.
|
|
I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
|
|
may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
|
|
|
|
|
|
{{% /notice %}}
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Specification of an OpenID Provider.
|
|
properties:
|
|
static:
|
|
description: Static configures an OpenID Provider by explicitly specifying all endpoints.
|
|
properties:
|
|
endpoints:
|
|
description: Endpoints specifies the OpenID Provider endpoints.
|
|
properties:
|
|
authorization:
|
|
description: Authorization specifies the endpoint to which the authorization request is sent.
|
|
properties:
|
|
uri:
|
|
description: URI specifies the endpoint address.
|
|
format: uri
|
|
minLength: 1
|
|
pattern: ^(http|https)://.*$
|
|
type: string
|
|
required:
|
|
- uri
|
|
type: object
|
|
token:
|
|
description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
|
|
properties:
|
|
tls:
|
|
description: TLS defines TLS settings.
|
|
properties:
|
|
certificateVerification:
|
|
description: CertificateVerification specifies how the certificate presented by the server is verified.
|
|
properties:
|
|
custom:
|
|
description: |-
|
|
Custom explicitly specifies how the server certificate should be verified.
|
|
Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
|
|
properties:
|
|
allowedSANs:
|
|
description: |-
|
|
AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
|
|
Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
|
|
that is to say, the SAN is verified if at least one matcher is matched.
|
|
AllowedSANs requires trustedCA to be set.
|
|
items:
|
|
description: |-
|
|
TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
|
|
Subject Alternative Name of the presented certificate matches one of the specified matchers.
|
|
properties:
|
|
matcher:
|
|
description: Matcher defines the string matcher for the SAN value.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
sanType:
|
|
description: SanType defines the type of SAN matcher.
|
|
enum:
|
|
- DNS
|
|
- Email
|
|
- URI
|
|
- IPAddress
|
|
type: string
|
|
required:
|
|
- matcher
|
|
- sanType
|
|
type: object
|
|
minItems: 1
|
|
type: array
|
|
certificatePinning:
|
|
description: |-
|
|
CertificatePinning defines constraints the presented certificate must fulfill.
|
|
If more than one constraint is configured only one must be satisfied.
|
|
At least one of allowedSPKIs and allowedHashes must be set.
|
|
properties:
|
|
allowedHashes:
|
|
description: |-
|
|
AllowedHashes is a list of hex-encoded SHA-256 hashes.
|
|
If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
|
|
items:
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
allowedSPKIs:
|
|
description: |-
|
|
AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
|
|
If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
|
|
items:
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
type: object
|
|
crl:
|
|
description: CRL defines the Certificate Revocation List (CRL) settings.
|
|
properties:
|
|
lists:
|
|
description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
|
|
items:
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
|
|
properties:
|
|
name:
|
|
description: Name of the resource
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
minItems: 1
|
|
type: array
|
|
validationMode:
|
|
default: VerifyChain
|
|
description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
|
|
enum:
|
|
- VerifyLeafCertOnly
|
|
- VerifyChain
|
|
type: string
|
|
type: object
|
|
trustedCA:
|
|
description: TrustedCA defines which CA certificates are trusted.
|
|
properties:
|
|
certificates:
|
|
description: Certificates defines the list of secretRefs containing trusted CA certificates.
|
|
items:
|
|
properties:
|
|
secretRef:
|
|
description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
|
|
properties:
|
|
name:
|
|
description: Name of the resource
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- secretRef
|
|
type: object
|
|
minItems: 1
|
|
type: array
|
|
verificationDepth:
|
|
default: 1
|
|
description: |-
|
|
VerificationDepth specifies the hops in the certificate chain at which validation is performed.
|
|
1 means that either the leaf or the signing CA must be in the set of trusted certificates.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- certificates
|
|
type: object
|
|
type: object
|
|
disabled:
|
|
description: |-
|
|
Disabled specifies to trust any certificate without verification.
|
|
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
|
|
type: object
|
|
publicCAs:
|
|
description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
|
|
type: object
|
|
type: object
|
|
ciphers:
|
|
description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
|
|
items:
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
protocol:
|
|
description: Protocol defines the supported TLS protocol versions.
|
|
properties:
|
|
maximum:
|
|
description: Maximum supported TLS version.
|
|
enum:
|
|
- TLSv1_0
|
|
- TLSv1_1
|
|
- TLSv1_2
|
|
- TLSv1_3
|
|
type: string
|
|
minimum:
|
|
description: Minimum supported TLS version.
|
|
enum:
|
|
- TLSv1_0
|
|
- TLSv1_1
|
|
- TLSv1_2
|
|
- TLSv1_3
|
|
type: string
|
|
type: object
|
|
type: object
|
|
uri:
|
|
description: URI specifies the endpoint address.
|
|
format: uri
|
|
minLength: 1
|
|
pattern: ^(http|https)://.*$
|
|
type: string
|
|
required:
|
|
- uri
|
|
type: object
|
|
required:
|
|
- authorization
|
|
- token
|
|
type: object
|
|
required:
|
|
- endpoints
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|