Last active
September 2, 2020 18:33
-
-
Save mattmoyer/c089ef0cefb24c538cdebe5af7451c45 to your computer and use it in GitHub Desktop.
IdentityProviderConfig CRD Samples (note: this is just a proposal and includes some speculative ideas about future API state)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # A webhook-based IDP to replace our current static config. | |
| apiVersion: crd.pinniped.dev/v1alpha1 | |
| kind: IdentityProviderConfig | |
| metadata: | |
| name: tanzu-mission-control | |
| namespace: pinniped # should this be cluster scoped? | |
| spec: | |
| webhook: | |
| server: https://example.com | |
| tls: | |
| certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSU[...] | |
| status: | |
| # list of status conditions to show the health of this IDP (exact conditions depend on the IDP type) | |
| conditions: | |
| - type: Available | |
| status: "True" | |
| lastTransitionTime: "2020-08-25T18:28:51" | |
| - type: WebhookReachable | |
| status: "True" | |
| lastTransitionTime: "2020-08-25T18:28:51" | |
| message: "received 401 OK in 230 ms" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # An OpenID Connect-based IDP, which could also be Dex running on the supervisor cluster. | |
| apiVersion: crd.pinniped.dev/v1alpha1 | |
| kind: IdentityProviderConfig | |
| metadata: | |
| namespace: pinniped | |
| name: my-google-oidc-provider | |
| spec: | |
| oidc: | |
| # where to fetch /.well-known/openid-configuration | |
| issuer: https://accounts.google.com/ | |
| # information about how to form the OAuth2 authorization request parameters. | |
| authorizationConfig: | |
| redirectURI: https://example.pinniped.dev/redirect | |
| scopes: | |
| - "profile" | |
| - "email" | |
| - "groups" | |
| # Section to map upstream claims into identities | |
| # (follows k8s CLI flags pretty closely) | |
| claims: | |
| groups: "my-groups-claim" | |
| username: "email" | |
| # OIDC Client info | |
| client: | |
| secretName: "google-oidc-creds" | |
| status: | |
| conditions: | |
| - type: Available | |
| status: "True" | |
| lastTransitionTime: "2020-08-25T18:28:51" | |
| - type: OIDCDiscoveryReachable | |
| status: "True" | |
| lastTransitionTime: "2020-08-25T18:28:51" | |
| message: "received 200 OK in 230 ms" | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| namespace: pinniped | |
| name: google-oidc-creds | |
| type: secrets.pinniped.dev/oidc | |
| data: | |
| clientID: some-client | |
| clientSecret: 91ce8fd2a7a9431448f10659cfc43c1edb09481f33a80e50f1765ca5bb7dbe33 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # An extended example of an OIDC IDP, showing some fields that are probably out of scope for MVP. | |
| apiVersion: crd.pinniped.dev/v1alpha1 | |
| kind: IdentityProviderConfig | |
| metadata: | |
| namespace: pinniped | |
| name: my-google-oidc-provider | |
| spec: | |
| oidc: | |
| # where to fetch /.well-known/openid-configuration | |
| issuer: https://accounts.google.com/ | |
| # optional (default: use system roots) | |
| tls: | |
| certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSU[...] | |
| # optional (default: use OIDC discovery against the issuer URL) | |
| endpoints: | |
| authorization: https://askdjhaskdjha | |
| token: https://askdjhaskdjha | |
| userinfo: https://askdjhaskdjha | |
| jwks: https://askdjhaskdjha | |
| authorizationConfig: | |
| redirectURI: https://example.pinniped.dev/redirect | |
| scopes: | |
| - "profile" | |
| - "email" | |
| - "groups" | |
| # default: loaded via discovery and filtered against a safe allowlist | |
| allowedAlgorithms: | |
| - "RS256" | |
| # Section to map upstream claims into identities | |
| # (follows k8s CLI flags pretty closely) | |
| claims: | |
| groups: "my-groups-claim" | |
| username: "email" | |
| # OIDC Client info | |
| client: | |
| secretName: "google-oidc-creds" | |
| # optional (default: "clientID") | |
| clientIDKey: "my-client-id" | |
| # optional (default: "clientSecret") | |
| clientSecretKey: "my-client-secret" | |
| status: | |
| # [...] | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| namespace: pinniped | |
| name: google-oidc-creds | |
| type: secrets.pinniped.dev/oidc | |
| data: | |
| my-client-id: some-client | |
| my-client-secret: 91ce8fd2a7a9431448f10659cfc43c1edb09481f33a80e50f1765ca5bb7dbe33 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # An LDAP-based IDP (maybe not in scope?) | |
| apiVersion: crd.pinniped.dev/v1alpha1 | |
| kind: IdentityProviderConfig | |
| metadata: | |
| namespace: pinniped | |
| name: my-ldap-provider | |
| spec: | |
| ldap: | |
| connect: | |
| host: ldap.example.com:636 | |
| tls: | |
| # (optional: default "Auto", supported values are "TLS", "StartTLS", "UnsafeDisable") | |
| method: Auto | |
| certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSU[...] | |
| # binding information | |
| bind: | |
| # (optional: default is password bind) | |
| method: Password | |
| # bind credentials | |
| secretName: "my-ldap-bind-creds" | |
| # how to search for a user object in the directory | |
| userSearch: | |
| base: "cn=users,dc=example,dc=com" | |
| filter: "&(objectClass=person)(uid={{0}})" | |
| # optional, defaulted as below | |
| attributes: | |
| username: uid | |
| uid: uid | |
| # how to search for group objects in the directory | |
| groupSearch: | |
| base: cn=groups,dc=freeipa,dc=example,dc=com | |
| filter: "&(objectClass=group)(members={{0}})" | |
| attributes: | |
| # optional, defaulted as below | |
| name: groupName | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| namespace: pinniped | |
| name: my-ldap-bind-creds" | |
| type: secrets.pinniped.dev/ldapbind | |
| data: | |
| username: some-service-user | |
| password: 91ce8fd2a7a9431448f10659cfc43c1edb09481f33a80e50f1765ca5bb7dbe33 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Our idea for a "filters" extension mechanism (name TBD) -- probably mostly out of scope for now. | |
| --- | |
| apiVersion: crd.pinniped.dev/v1alpha1 | |
| kind: IdentityProviderConfig | |
| metadata: | |
| name: tanzu-mission-control | |
| namespace: pinniped # should this be cluster scoped? | |
| spec: | |
| oidc: | |
| # [...] | |
| filters: | |
| # prefix username or group names with a static prefix | |
| - prefixUser: "pinniped:my-google-oidc-provider:" | |
| - prefixGroups: "pinniped:my-google-oidc-provider:" | |
| # only pass through certain groups from the upstream (ignoring others) | |
| - allowGroups: | |
| - "kubernetes-admins" | |
| - "kubernetes-users" | |
| # do some rough coarse-grained authorization by requiring all requests to contain one of these groups | |
| - requireGroups: | |
| - "kubernetes-users" | |
| # arbitrary OPA/Rego policy support, inputs are the claims from upstream IDP, output is username/groups or a failure | |
| - regoPolicy: | | |
| [...] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment