1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: iamworkforcepoolproviders.iam.cnrm.cloud.google.com
27spec:
28 group: iam.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: IAMWorkforcePoolProvider
33 plural: iamworkforcepoolproviders
34 shortNames:
35 - gcpiamworkforcepoolprovider
36 - gcpiamworkforcepoolproviders
37 singular: iamworkforcepoolprovider
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 attributeCondition:
75 description: 'A [Common Expression Language](https://opensource.google/projects/cel)
76 expression, in plain text, to restrict what otherwise valid authentication
77 credentials issued by the provider should not be accepted. The expression
78 must output a boolean representing whether to allow the federation.
79 The following keywords may be referenced in the expressions: * `assertion`:
80 JSON representing the authentication credential issued by the provider.
81 * `google`: The Google attributes mapped from the assertion in the
82 `attribute_mappings`. `google.profile_photo` and `google.display_name`
83 are not supported. * `attribute`: The custom attributes mapped from
84 the assertion in the `attribute_mappings`. The maximum length of
85 the attribute condition expression is 4096 characters. If unspecified,
86 all valid authentication credentials will be accepted. The following
87 example shows how to only allow credentials with a mapped `google.groups`
88 value of `admins`: ``` "''admins'' in google.groups" ```'
89 type: string
90 attributeMapping:
91 additionalProperties:
92 type: string
93 description: 'Required. Maps attributes from the authentication credentials
94 issued by an external identity provider to Google Cloud attributes,
95 such as `subject` and `segment`. Each key must be a string specifying
96 the Google Cloud IAM attribute to map to. The following keys are
97 supported: * `google.subject`: The principal IAM is authenticating.
98 You can reference this value in IAM bindings. This is also the subject
99 that appears in Cloud Logging logs. This is a required field and
100 the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups
101 the authenticating user belongs to. You can grant groups access
102 to resources using an IAM `principalSet` binding; access applies
103 to all members of the group. * `google.display_name`: The name of
104 the authenticated user. This is an optional field and the mapped
105 display name cannot exceed 100 bytes. If not set, `google.subject`
106 will be displayed instead. This attribute cannot be referenced in
107 IAM bindings. * `google.profile_photo`: The URL that specifies the
108 authenticated user''s thumbnail photo. This is an optional field.
109 When set, the image will be visible as the user''s profile picture.
110 If not set, a generic user icon will be displayed instead. This
111 attribute cannot be referenced in IAM bindings. You can also provide
112 custom attributes by specifying `attribute.{custom_attribute}`,
113 where {custom_attribute} is the name of the custom attribute to
114 be mapped. You can define a maximum of 50 custom attributes. The
115 maximum length of a mapped attribute key is 100 characters, and
116 the key may only contain the characters [a-z0-9_]. You can reference
117 these attributes in IAM policies to define fine-grained access for
118 a workforce pool to Google Cloud resources. For example:'
119 type: object
120 description:
121 description: A user-specified description of the provider. Cannot
122 exceed 256 characters.
123 type: string
124 disabled:
125 description: Whether the provider is disabled. You cannot use a disabled
126 provider to exchange tokens. However, existing tokens still grant
127 access.
128 type: boolean
129 displayName:
130 description: A user-specified display name for the provider. Cannot
131 exceed 32 characters.
132 type: string
133 location:
134 description: Immutable. The location for the resource
135 type: string
136 oidc:
137 description: An OpenId Connect 1.0 identity provider configuration.
138 properties:
139 clientId:
140 description: Required. The client ID. Must match the audience
141 claim of the JWT issued by the identity provider.
142 type: string
143 issuerUri:
144 description: Required. The OIDC issuer URI. Must be a valid URI
145 using the 'https' scheme.
146 type: string
147 webSsoConfig:
148 description: Required. Configuration for web single sign-on for
149 the OIDC provider. Here, web sign-in refers to console sign-in
150 and gcloud sign-in through the browser.
151 properties:
152 assertionClaimsBehavior:
153 description: 'Required. The behavior for how OIDC Claims are
154 included in the `assertion` object used for attribute mapping
155 and attribute condition. Possible values: ASSERTION_CLAIMS_BEHAVIOR_UNSPECIFIED,
156 ONLY_ID_TOKEN_CLAIMS'
157 type: string
158 responseType:
159 description: 'Required. The Response Type to request for in
160 the OIDC Authorization Request for web sign-in. Possible
161 values: RESPONSE_TYPE_UNSPECIFIED, ID_TOKEN'
162 type: string
163 required:
164 - assertionClaimsBehavior
165 - responseType
166 type: object
167 required:
168 - clientId
169 - issuerUri
170 - webSsoConfig
171 type: object
172 resourceID:
173 description: Immutable. Optional. The name of the resource. Used for
174 creation and acquisition. When unset, the value of `metadata.name`
175 is used as the default.
176 type: string
177 saml:
178 description: A SAML identity provider configuration.
179 properties:
180 idpMetadataXml:
181 description: 'Required. SAML Identity provider configuration metadata
182 xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).
183 The max size of the acceptable xml document will be bounded
184 to 128k characters. The metadata xml document should satisfy
185 the following constraints: 1) Must contain an Identity Provider
186 Entity ID. 2) Must contain at least one non-expired signing
187 key certificate. 3) For each signing key: a) Valid from should
188 be no more than 7 days from now. b) Valid to should be no more
189 than 10 years in the future. 4) Up to 3 IdP signing keys are
190 allowed in the metadata xml. When updating the provider''s metadata
191 xml, at least one non-expired signing key must overlap with
192 the existing metadata. This requirement is skipped if there
193 are no non-expired signing keys present in the existing metadata.'
194 type: string
195 required:
196 - idpMetadataXml
197 type: object
198 workforcePoolRef:
199 description: Immutable.
200 oneOf:
201 - not:
202 required:
203 - external
204 required:
205 - name
206 - not:
207 anyOf:
208 - required:
209 - name
210 - required:
211 - namespace
212 required:
213 - external
214 properties:
215 external:
216 description: |-
217 The workforce_pool for the resource
218
219 Allowed value: The Google Cloud resource name of an `IAMWorkforcePool` resource (format: `locations/{{location}}/workforcePools/{{name}}`).
220 type: string
221 name:
222 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
223 type: string
224 namespace:
225 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
226 type: string
227 type: object
228 required:
229 - attributeMapping
230 - location
231 - workforcePoolRef
232 type: object
233 status:
234 properties:
235 conditions:
236 description: Conditions represent the latest available observation
237 of the resource's current state.
238 items:
239 properties:
240 lastTransitionTime:
241 description: Last time the condition transitioned from one status
242 to another.
243 type: string
244 message:
245 description: Human-readable message indicating details about
246 last transition.
247 type: string
248 reason:
249 description: Unique, one-word, CamelCase reason for the condition's
250 last transition.
251 type: string
252 status:
253 description: Status is the status of the condition. Can be True,
254 False, Unknown.
255 type: string
256 type:
257 description: Type is the type of the condition.
258 type: string
259 type: object
260 type: array
261 observedGeneration:
262 description: ObservedGeneration is the generation of the resource
263 that was most recently observed by the Config Connector controller.
264 If this is equal to metadata.generation, then that means that the
265 current reported status reflects the most recent desired state of
266 the resource.
267 type: integer
268 state:
269 description: 'Output only. The state of the provider. Possible values:
270 STATE_UNSPECIFIED, ACTIVE, DELETED'
271 type: string
272 type: object
273 required:
274 - spec
275 type: object
276 served: true
277 storage: true
278 subresources:
279 status: {}
280status:
281 acceptedNames:
282 kind: ""
283 plural: ""
284 conditions: []
285 storedVersions: []
View as plain text