simon/kube
1
0
Fork 0
forked from k-space/kube
Code Pull Requests Activity

oidc: add oidc-gateway manifests

Browse Source
This commit is contained in:
Erki Aas
2023-06-27 14:01:44 +03:00
parent 1d3d58f1a0
commit 045a8bb574
4 changed files with 557 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
oidc-gateway/crds.yml Normal file
View File

@@ -0,0 +1,276 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayusers.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayusers
singular: oidcgatewayuser
kind: OIDCGWUser
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
email:
type: string
customGroups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
customProfile:
type: object
properties:
name:
type: string
company:
type: string
githubEmails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
githubGroups:
type: array
items:
type: object
properties:
prefix:
type: string
enum: [ 'github.com' ]
name:
type: string
githubProfile:
type: object
properties:
name:
type: string
company:
type: string
id:
type: integer
login:
type: string
slackId:
type: string
status:
type: object
properties:
primaryEmail:
type: string
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
profile:
type: object
properties:
name:
type: string
company:
type: string
slackId:
type: string
conditions:
type: array
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Name
type: string
jsonPath: .status.profile.name
- name: Emails
type: string
jsonPath: .status.emails
- name: Groups
type: string
jsonPath: .status.groups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayclients
singular: oidcgatewayclient
kind: OIDCGWClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
required:
- redirectUris # TODO: add validation
- grantTypes
- responseTypes
properties:
uri:
type: string
displayName:
type: string
redirectUris:
type: array
items:
type: string
grantTypes:
type: array
items:
type: string
enum: [ 'implicit', 'authorization_code', 'refresh_token' ]
responseTypes:
type: array
items:
type: string
enum: [ 'code id_token', 'code', 'id_token', 'none' ]
tokenEndpointAuthMethod:
type: string
enum: [ 'client_secret_basic', 'client_secret_jwt', 'client_secret_post', 'private_key_jwt', 'none' ]
idTokenSignedResponseAlg:
type: string
enum: [ 'PS256','RS256', 'ES256' ]
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
items:
type: string
enum: [ 'openid', 'profile', 'offline_access' ]
default: [ 'openid' ]
pkce:
type: boolean
default: true
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uris
type: string
description: 'Redirect URLs configured for this client'
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewaymiddlewareclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewaymiddlewareclients
singular: oidcgatewaymiddlewareclient
kind: OIDCGWMiddlewareClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
uri:
type: string
displayName:
type: string
allowedGroups:
type: array
items:
type: string
headerMapping:
type: object
default:
user: 'Remote-User'
name: 'Remote-Name'
email: 'Remote-Email'
groups: 'Remote-Groups'
properties:
user:
type: string
name:
type: string
email:
type: string
groups:
type: string
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uri
type: string
description: 'URL configured for this client'
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups