1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: iamworkforcepoolproviders.iam.cnrm.cloud.google.com
8spec:
9 group: iam.cnrm.cloud.google.com
10 names:
11 kind: IAMWorkforcePoolProvider
12 listKind: IAMWorkforcePoolProviderList
13 plural: iamworkforcepoolproviders
14 singular: iamworkforcepoolprovider
15 scope: Namespaced
16 versions:
17 - name: v1beta1
18 schema:
19 openAPIV3Schema:
20 description: IAMWorkforcePoolProvider is the Schema for the iam API
21 properties:
22 apiVersion:
23 description: |-
24 APIVersion defines the versioned schema of this representation of an object.
25 Servers should convert recognized schemas to the latest internal value, and
26 may reject unrecognized values.
27 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
28 type: string
29 kind:
30 description: |-
31 Kind is a string value representing the REST resource this object represents.
32 Servers may infer this from the endpoint the client submits requests to.
33 Cannot be updated.
34 In CamelCase.
35 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
36 type: string
37 metadata:
38 type: object
39 spec:
40 properties:
41 attributeCondition:
42 description: 'A [Common Expression Language](https://opensource.google/projects/cel)
43 expression, in plain text, to restrict what otherwise valid authentication
44 credentials issued by the provider should not be accepted. The expression
45 must output a boolean representing whether to allow the federation.
46 The following keywords may be referenced in the expressions: * `assertion`:
47 JSON representing the authentication credential issued by the provider.
48 * `google`: The Google attributes mapped from the assertion in the
49 `attribute_mappings`. `google.profile_photo` and `google.display_name`
50 are not supported. * `attribute`: The custom attributes mapped from
51 the assertion in the `attribute_mappings`. The maximum length of
52 the attribute condition expression is 4096 characters. If unspecified,
53 all valid authentication credentials will be accepted. The following
54 example shows how to only allow credentials with a mapped `google.groups`
55 value of `admins`: ``` "''admins'' in google.groups" ```'
56 type: string
57 attributeMapping:
58 additionalProperties:
59 type: string
60 description: 'Required. Maps attributes from the authentication credentials
61 issued by an external identity provider to Google Cloud attributes,
62 such as `subject` and `segment`. Each key must be a string specifying
63 the Google Cloud IAM attribute to map to. The following keys are
64 supported: * `google.subject`: The principal IAM is authenticating.
65 You can reference this value in IAM bindings. This is also the subject
66 that appears in Cloud Logging logs. This is a required field and
67 the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups
68 the authenticating user belongs to. You can grant groups access
69 to resources using an IAM `principalSet` binding; access applies
70 to all members of the group. * `google.display_name`: The name of
71 the authenticated user. This is an optional field and the mapped
72 display name cannot exceed 100 bytes. If not set, `google.subject`
73 will be displayed instead. This attribute cannot be referenced in
74 IAM bindings. * `google.profile_photo`: The URL that specifies the
75 authenticated user''s thumbnail photo. This is an optional field.
76 When set, the image will be visible as the user''s profile picture.
77 If not set, a generic user icon will be displayed instead. This
78 attribute cannot be referenced in IAM bindings. You can also provide
79 custom attributes by specifying `attribute.{custom_attribute}`,
80 where {custom_attribute} is the name of the custom attribute to
81 be mapped. You can define a maximum of 50 custom attributes. The
82 maximum length of a mapped attribute key is 100 characters, and
83 the key may only contain the characters [a-z0-9_]. You can reference
84 these attributes in IAM policies to define fine-grained access for
85 a workforce pool to Google Cloud resources. For example:'
86 type: object
87 description:
88 description: A user-specified description of the provider. Cannot
89 exceed 256 characters.
90 type: string
91 disabled:
92 description: Whether the provider is disabled. You cannot use a disabled
93 provider to exchange tokens. However, existing tokens still grant
94 access.
95 type: boolean
96 displayName:
97 description: A user-specified display name for the provider. Cannot
98 exceed 32 characters.
99 type: string
100 location:
101 description: Immutable. The location for the resource
102 type: string
103 oidc:
104 description: An OpenId Connect 1.0 identity provider configuration.
105 properties:
106 clientId:
107 description: Required. The client ID. Must match the audience
108 claim of the JWT issued by the identity provider.
109 type: string
110 issuerUri:
111 description: Required. The OIDC issuer URI. Must be a valid URI
112 using the 'https' scheme.
113 type: string
114 webSsoConfig:
115 description: Required. Configuration for web single sign-on for
116 the OIDC provider. Here, web sign-in refers to console sign-in
117 and gcloud sign-in through the browser.
118 properties:
119 assertionClaimsBehavior:
120 description: 'Required. The behavior for how OIDC Claims are
121 included in the `assertion` object used for attribute mapping
122 and attribute condition. Possible values: ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED,
123 ONLY_ID_TOKEN_CLAIMS'
124 type: string
125 responseType:
126 description: 'Required. The Response Type to request for in
127 the OIDC Authorization Request for web sign-in. Possible
128 values: RESPONSE_TYPE_UNSPECIFIED, ID_TOKEN'
129 type: string
130 required:
131 - assertionClaimsBehavior
132 - responseType
133 type: object
134 required:
135 - clientId
136 - issuerUri
137 - webSsoConfig
138 type: object
139 resourceID:
140 description: Immutable. Optional. The name of the resource. Used for
141 creation and acquisition. When unset, the value of `metadata.name`
142 is used as the default.
143 type: string
144 saml:
145 description: A SAML identity provider configuration.
146 properties:
147 idpMetadataXml:
148 description: 'Required. SAML Identity provider configuration metadata
149 xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).
150 The max size of the acceptable xml document will be bounded
151 to 128k characters. The metadata xml document should satisfy
152 the following constraints: 1) Must contain an Identity Provider
153 Entity ID. 2) Must contain at least one non-expired signing
154 key certificate. 3) For each signing key: a) Valid from should
155 be no more than 7 days from now. b) Valid to should be no more
156 than 10 years in the future. 4) Up to 3 IdP signing keys are
157 allowed in the metadata xml. When updating the provider''s metadata
158 xml, at least one non-expired signing key must overlap with
159 the existing metadata. This requirement is skipped if there
160 are no non-expired signing keys present in the existing metadata.'
161 type: string
162 required:
163 - idpMetadataXml
164 type: object
165 workforcePoolRef:
166 description: Immutable.
167 properties:
168 external:
169 description: The external name of the referenced resource
170 type: string
171 kind:
172 description: Kind of the referent.
173 type: string
174 name:
175 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
176 type: string
177 namespace:
178 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
179 type: string
180 type: object
181 required:
182 - attributeMapping
183 - location
184 - workforcePoolRef
185 type: object
186 status:
187 properties:
188 conditions:
189 description: |-
190 Conditions represent the latest available observations of the
191 IAMWorkforcePoolProvider's current state.
192 items:
193 properties:
194 lastTransitionTime:
195 description: Last time the condition transitioned from one status
196 to another.
197 type: string
198 message:
199 description: Human-readable message indicating details about
200 last transition.
201 type: string
202 reason:
203 description: |-
204 Unique, one-word, CamelCase reason for the condition's last
205 transition.
206 type: string
207 status:
208 description: Status is the status of the condition. Can be True,
209 False, Unknown.
210 type: string
211 type:
212 description: Type is the type of the condition.
213 type: string
214 type: object
215 type: array
216 observedGeneration:
217 description: ObservedGeneration is the generation of the resource
218 that was most recently observed by the Config Connector controller.
219 If this is equal to metadata.generation, then that means that the
220 current reported status reflects the most recent desired state of
221 the resource.
222 type: integer
223 state:
224 description: 'Output only. The state of the provider. Possible values:
225 STATE_UNSPECIFIED, ACTIVE, DELETED'
226 type: string
227 type: object
228 type: object
229 served: true
230 storage: true
View as plain text