{ "description": "LDAPAuthEngineConfig is the Schema for the ldapauthengineconfigs API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "LDAPAuthEngineConfigSpec defines the desired state of LDAPAuthEngineConfig", "properties": { "TLSMaxVersion": { "default": "tls12", "description": "TLSMaxVersion Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13", "type": [ "string", "null" ] }, "TLSMinVersion": { "default": "tls12", "description": "TLSMinVersion Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13", "type": [ "string", "null" ] }, "UPNDomain": { "default": "", "description": "UPNDomain The userPrincipalDomain used to construct the UPN string for the authenticating user.\nThe constructed UPN will appear as [username]@UPNDomain. Example: example.com, which will cause vault to bind as username@example.com", "type": [ "string", "null" ] }, "anonymousGroupSearch": { "default": false, "description": "AnonymousGroupSearch Use anonymous binds when performing LDAP group searches (note: even when true, the initial credentials will still be used for the initial connection test).", "type": [ "boolean", "null" ] }, "authentication": { "additionalProperties": false, "properties": { "namespace": { "description": "Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.", "type": [ "string", "null" ] }, "path": { "default": "kubernetes", "description": "Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "role": { "description": "Role the role to be used during authentication", "type": [ "string", "null" ] }, "serviceAccount": { "additionalProperties": false, "default": { "name": "default" }, "description": "ServiceAccount is the service account used for the kube auth authentication", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" } }, "type": [ "object", "null" ] }, "bindCredentials": { "additionalProperties": false, "description": "BindCredentials is used to connect to the LDAP service on the specified LDAP Server.\nBindCredentials consists in bindDN and bindPass, which can be created as Kubernetes Secret, VaultSecret or RandomSecret.", "properties": { "passwordKey": { "default": "password", "description": "PasswordKey key to be used when retrieving the password, required with VaultSecrets and Kubernetes secrets, ignored with RandomSecret", "type": [ "string", "null" ] }, "randomSecret": { "additionalProperties": false, "description": "RandomSecret retrieves the credentials from the Vault secret corresponding to this RandomSecret. This will map the \"username\" and \"password\" keys of the secret to the username and password of this config. All other keys will be ignored. If the RandomSecret is refreshed the operator retrieves the new secret from Vault and updates this configuration. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.\nWhen using randomSecret a username must be specified in the spec.username\npassword: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive \"{{\"password\"}}\"\".", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "secret": { "additionalProperties": false, "description": "Secret retrieves the credentials from a Kubernetes secret. The secret must be of basicauth type (https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret). This will map the \"username\" and \"password\" keys of the secret to the username and password of this config. If the kubernetes secret is updated, this configuration will also be updated. All other keys will be ignored. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.\nusername: Specifies the name of the user to use as the \"root\" user when connecting to the database. This \"root\" user is used to create/update/delete users managed by these plugins, so you will need to ensure that this user has permissions to manipulate users appropriate to the database. This is typically used in the connection_url field via the templating directive \"{{\"username\"}}\" or \"{{\"name\"}}\".\npassword: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive \"{{\"password\"}}\".\nIf username is provided as spec.username, it takes precedence over the username retrieved from the referenced secret", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "usernameKey": { "default": "username", "description": "UsernameKey key to be used when retrieving the username, optional with VaultSecrets and Kubernetes secrets, ignored with RandomSecret", "type": [ "string", "null" ] }, "vaultSecret": { "additionalProperties": false, "description": "VaultSecret retrieves the credentials from a Vault secret. This will map the \"username\" and \"password\" keys of the secret to the username and password of this config. All other keys will be ignored. Only one of RootCredentialsFromVaultSecret or RootCredentialsFromSecret or RootCredentialsFromRandomSecret can be specified.\nusername: Specifies the name of the user to use as the \"root\" user when connecting to the database. This \"root\" user is used to create/update/delete users managed by these plugins, so you will need to ensure that this user has permissions to manipulate users appropriate to the database. This is typically used in the connection_url field via the templating directive \"{{\"username\"}}\" or \"{{\"name\"}}\".\npassword: Specifies the password to use when connecting with the username. This value will not be returned by Vault when performing a read upon the configuration. This is typically used in the connection_url field via the templating directive \"{{\"password\"}}\".\nIf username is provided as spec.username, it takes precedence over the username retrieved from the referenced secret", "properties": { "path": { "description": "Path is the path to the secret", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] } }, "type": [ "object", "null" ] }, "bindDN": { "default": "", "description": "BindDN - Username used to connect to the LDAP service on the specified LDAP Server.\nIf in the form accountname@domain.com, the username is transformed into a proper LDAP bind DN, for example, CN=accountname,CN=users,DC=domain,DC=com, when accessing the LDAP server.\nIf username is provided it takes precedence over the username retrieved from the referenced secrets", "type": [ "string", "null" ] }, "caseSensitiveNames": { "default": false, "description": "CaseSensitiveNames If set, user and group names assigned to policies within the backend will be case sensitive.\nOtherwise, names will be normalized to lower case. Case will still be preserved when sending the username to the LDAP server at login time; this is only for matching local user/group definitions.", "type": "boolean" }, "certificate": { "default": "", "description": "Certificate CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.", "type": [ "string", "null" ] }, "clientTLSCert": { "default": "", "description": "ClientTLSCert Client certificate to provide to the LDAP server, must be x509 PEM encoded", "type": [ "string", "null" ] }, "clientTLSKey": { "default": "", "description": "ClientTLSKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded", "type": [ "string", "null" ] }, "connection": { "additionalProperties": false, "description": "Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.", "properties": { "address": { "description": "Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/", "type": [ "string", "null" ] }, "maxRetries": { "description": "MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).", "type": [ "integer", "null" ] }, "tLSConfig": { "additionalProperties": false, "properties": { "cacert": { "description": "Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.", "type": [ "string", "null" ] }, "skipVerify": { "description": "SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.", "type": [ "boolean", "null" ] }, "tlsSecret": { "additionalProperties": false, "description": "TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -\u003e \"ca.crt\", certificate -\u003e \"tls.crt\", key -\u003e \"tls.key\"", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "tlsServerName": { "description": "TLSServerName Name to use as the SNI host when connecting via TLS.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "timeOut": { "description": "Timeout Timeout variable. The default value is 60s.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "denyNullBind": { "default": true, "description": "DenyNullBind This option prevents users from bypassing authentication when providing an empty password", "type": [ "boolean", "null" ] }, "discoverDN": { "default": false, "description": "DiscoverDN Use anonymous bind to discover the bind DN of a user.", "type": [ "boolean", "null" ] }, "groupAttr": { "default": "", "description": "GroupAttr LDAP attribute to follow on objects returned by groupfilter in order to enumerate user group membership.\nExamples: for groupfilter queries returning group objects, use: cn. For queries returning user objects, use: memberOf. The default is cn.", "type": [ "string", "null" ] }, "groupDN": { "default": "", "description": "GroupDN LDAP search base to use for group membership search. This can be the root containing either groups or users. Example: ou=Groups,dc=example,dc=com", "type": [ "string", "null" ] }, "groupFilter": { "default": "", "description": "GroupFilter Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username].\nThe default is (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})), which is compatible with several common directory schemas.\nTo support nested group resolution for Active Directory, instead use the following query: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))", "type": [ "string", "null" ] }, "insecureTLS": { "default": false, "description": "InsecureTLS If true, skips LDAP server SSL certificate verification - insecure, use with caution!", "type": [ "boolean", "null" ] }, "path": { "description": "Path at which to make the configuration.\nThe final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.\nThe authentication role must have the following capabilities = [ \"create\", \"read\", \"update\", \"delete\"] on that path.", "pattern": "^(?:/?[\\w;:@\u0026=\\$-\\.\\+]*)+/?", "type": [ "string", "null" ] }, "requestTimeout": { "default": "90s", "description": "RequestTimeout Timeout, in seconds, for the connection when making requests against the server before returning back an error.", "type": [ "string", "null" ] }, "startTLS": { "default": false, "description": "StartTLS If true, issues a StartTLS command after establishing an unencrypted connection.", "type": [ "boolean", "null" ] }, "tLSConfig": { "additionalProperties": false, "description": "CertificateConfig represents the LDAP service certificate configuration.\nCertificateConfig consists in certificate, clientTLSCert and clientTLSKey which can be consumed from an Kubernetes Secret.", "properties": { "cacert": { "description": "Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.", "type": [ "string", "null" ] }, "skipVerify": { "description": "SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.", "type": [ "boolean", "null" ] }, "tlsSecret": { "additionalProperties": false, "description": "TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -\u003e \"ca.crt\", certificate -\u003e \"tls.crt\", key -\u003e \"tls.key\"", "properties": { "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\nTODO: Add other useful fields. apiVersion, kind, uid?", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "tlsServerName": { "description": "TLSServerName Name to use as the SNI host when connecting via TLS.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "tokenBoundCIDRs": { "default": "", "description": "TokenBoundCIDRs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.", "type": [ "string", "null" ] }, "tokenExplicitMaxTTL": { "default": "", "description": "TonenExplicitMaxTTL If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.", "type": [ "string", "null" ] }, "tokenMaxTTL": { "default": "", "description": "TokenMaxTTL The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time", "type": [ "string", "null" ] }, "tokenNoDefaultPolicy": { "default": false, "description": "TokenNoDefaultPolicy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.", "type": [ "boolean", "null" ] }, "tokenNumUses": { "default": 0, "description": "TokenNumUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.\nIf you require the token to have the ability to create child tokens, you will need to set this value to 0.", "format": "int64", "type": [ "integer", "null" ] }, "tokenPeriod": { "default": 0, "description": "TokenPeriod The period, if any, to set on the token", "format": "int64", "type": [ "integer", "null" ] }, "tokenPolicies": { "default": "", "description": "TokenPolicies List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.", "type": [ "string", "null" ] }, "tokenTTL": { "default": "", "description": "TokenTTL The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.", "type": [ "string", "null" ] }, "tokenType": { "default": "", "description": "The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens).\nFor token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.", "type": [ "string", "null" ] }, "url": { "default": "ldap://127.0.0.1", "description": "URL The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636.\nMultiple URLs can be specified with commas, e.g. ldap://ldap.myorg.com,ldap://ldap2.myorg.com; these will be tried in-order.", "type": "string" }, "userAttr": { "default": "cn", "description": "UserAttr Attribute on user attribute object matching the username passed when authenticating. Examples: sAMAccountName, cn, uid", "type": [ "string", "null" ] }, "userDN": { "default": "", "description": "UserDN Base DN under which to perform user search. Example: ou=Users,dc=example,dc=com", "type": [ "string", "null" ] }, "userFilter": { "default": "", "description": "UserFilter An optional LDAP user search filter. The template can access the following context variables: UserAttr, Username.\nThe default is ({{.UserAttr}}={{.Username}}), or ({{.UserAttr}}={{.Username@.upndomain}}) if upndomain is set.", "type": [ "string", "null" ] }, "usernameAsAlias": { "default": false, "description": "UsernameAsAlias If set to true, forces the auth method to use the username passed by the user as the alias name.", "type": [ "boolean", "null" ] } }, "required": [ "caseSensitiveNames", "url" ], "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "LDAPAuthEngineConfigStatus defines the observed state of LDAPAuthEngineConfig", "properties": { "conditions": { "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ], "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" } }, "type": [ "object", "null" ] } }, "type": "object" }