-
-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathAuthenticationClass.yaml
More file actions
358 lines (354 loc) · 18.7 KB
/
AuthenticationClass.yaml
File metadata and controls
358 lines (354 loc) · 18.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: authenticationclasses.authentication.stackable.tech
spec:
group: authentication.stackable.tech
names:
categories: []
kind: AuthenticationClass
plural: authenticationclasses
shortNames: []
singular: authenticationclass
scope: Cluster
versions:
- additionalPrinterColumns: []
name: v1alpha1
schema:
openAPIV3Schema:
description: Auto-generated derived type for AuthenticationClassSpec via `CustomResource`
properties:
spec:
description: |-
The Stackable Platform uses the AuthenticationClass as a central mechanism to handle user
authentication across supported products.
The authentication mechanism needs to be configured only in the AuthenticationClass which is
then referenced in the product. Multiple different authentication providers are supported.
Learn more in the [authentication concept documentation][1] and the
[Authentication with OpenLDAP tutorial][2].
[1]: https://docs.stackable.tech/home/nightly/concepts/authentication
[2]: https://docs.stackable.tech/home/nightly/tutorials/authentication_with_openldap
properties:
provider:
description: Provider used for authentication like LDAP or Kerberos.
oneOf:
- required:
- static
- required:
- ldap
- required:
- oidc
- required:
- tls
- required:
- kerberos
properties:
kerberos:
description: |-
The [Kerberos provider](https://docs.stackable.tech/home/nightly/concepts/authentication#_kerberos).
The Kerberos AuthenticationClass is used when users should authenticate themselves via
Kerberos.
properties:
kerberosSecretClass:
description: Mandatory SecretClass used to obtain keytabs.
type: string
required:
- kerberosSecretClass
type: object
ldap:
description: |-
The [LDAP provider](https://docs.stackable.tech/home/nightly/concepts/authentication#_ldap).
There is also the ["Authentication with LDAP" tutorial](https://docs.stackable.tech/home/nightly/tutorials/authentication_with_openldap)
where you can learn to configure Superset and Trino with OpenLDAP.
properties:
bindCredentials:
description: In case you need a special account for searching the LDAP server you can specify it here.
nullable: true
properties:
scope:
description: |-
[Scope](https://docs.stackable.tech/home/nightly/secret-operator/scope) of the
[SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).
nullable: true
properties:
listenerVolumes:
default: []
description: |-
The listener volume scope allows Node and Service scopes to be inferred from the applicable listeners.
This must correspond to Volume names in the Pod that mount Listeners.
items:
type: string
type: array
node:
default: false
description: |-
The node scope is resolved to the name of the Kubernetes Node object that the Pod is running on.
This will typically be the DNS name of the node.
type: boolean
pod:
default: false
description: |-
The pod scope is resolved to the name of the Kubernetes Pod.
This allows the secret to differentiate between StatefulSet replicas.
type: boolean
services:
default: []
description: |-
The service scope allows Pod objects to specify custom scopes.
This should typically correspond to Service objects that the Pod participates in.
items:
type: string
type: array
type: object
secretClass:
description: '[SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) containing the LDAP bind credentials.'
type: string
required:
- secretClass
type: object
hostname:
description: 'Host of the LDAP server, for example: `my.ldap.server` or `127.0.0.1`.'
type: string
ldapFieldNames:
default:
email: mail
givenName: givenName
group: memberof
surname: sn
uid: uid
description: The name of the LDAP object fields.
properties:
email:
default: mail
description: The name of the email field
type: string
givenName:
default: givenName
description: The name of the firstname field
type: string
group:
default: memberof
description: The name of the group field
type: string
surname:
default: sn
description: The name of the lastname field
type: string
uid:
default: uid
description: The name of the username field
type: string
type: object
port:
description: Port of the LDAP server. If TLS is used defaults to 636 otherwise to 389.
format: uint16
maximum: 65535.0
minimum: 0.0
nullable: true
type: integer
searchBase:
default: ''
description: 'LDAP search base, for example: `ou=users,dc=example,dc=org`.'
type: string
searchFilter:
default: ''
description: 'LDAP query to filter users, for example: `(memberOf=cn=myTeam,ou=teams,dc=example,dc=org)`.'
type: string
tls:
description: Use a TLS connection. If not specified no TLS will be used.
nullable: true
properties:
verification:
description: The verification method used to verify the certificates of the server and/or the client.
oneOf:
- required:
- none
- required:
- server
properties:
none:
description: Use TLS but don't verify certificates.
type: object
server:
description: Use TLS and a CA certificate to verify the server.
properties:
caCert:
description: CA cert to verify the server.
oneOf:
- required:
- webPki
- required:
- secretClass
properties:
secretClass:
description: |-
Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate.
Note that a SecretClass does not need to have a key but can also work with just a CA certificate,
so if you got provided with a CA cert but don't have access to the key you can still use this method.
type: string
webPki:
description: |-
Use TLS and the CA certificates trusted by the common web browsers to verify the server.
This can be useful when you e.g. use public AWS S3 or other public available services.
type: object
type: object
required:
- caCert
type: object
type: object
required:
- verification
type: object
required:
- hostname
type: object
oidc:
description: The OIDC provider can be used to configure OpenID Connect.
properties:
hostname:
description: Host of the identity provider, e.g. `my.keycloak.corp` or `127.0.0.1`.
type: string
port:
description: |-
Port of the identity provider. If TLS is used defaults to 443,
otherwise to 80.
format: uint16
maximum: 65535.0
minimum: 0.0
nullable: true
type: integer
principalClaim:
description: |-
If a product extracts some sort of "effective user" that is represented by a
string internally, this config determines with claim is used to extract that
string. It is desirable to use `sub` in here (or some other stable identifier),
but in many cases you might need to use `preferred_username` (e.g. in case of Keycloak)
or a different claim instead.
Please note that some products hard-coded the claim in their implementation,
so some product operators might error out if the product hardcodes a different
claim than configured here.
We don't provide any default value, as there is no correct way of doing it
that works in all setups. Most demos will probably use `preferred_username`,
although `sub` being more desirable, but technically impossible with the current
behavior of the products.
type: string
providerHint:
description: |-
This is a hint about which identity provider is used by the
AuthenticationClass. Operators *can* opt to use this
value to enable known quirks around OIDC / OAuth authentication.
Not providing a hint means there is no hint and OIDC should be used as it is
intended to be used (via the `.well-known` discovery).
enum:
- Keycloak
- null
nullable: true
type: string
rootPath:
default: /
description: Root HTTP path of the identity provider. Defaults to `/`.
type: string
scopes:
description: |-
Scopes to request from your identity provider. It is recommended to
request the `openid`, `email`, and `profile` scopes.
items:
type: string
type: array
tls:
description: Use a TLS connection. If not specified no TLS will be used.
nullable: true
properties:
verification:
description: The verification method used to verify the certificates of the server and/or the client.
oneOf:
- required:
- none
- required:
- server
properties:
none:
description: Use TLS but don't verify certificates.
type: object
server:
description: Use TLS and a CA certificate to verify the server.
properties:
caCert:
description: CA cert to verify the server.
oneOf:
- required:
- webPki
- required:
- secretClass
properties:
secretClass:
description: |-
Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate.
Note that a SecretClass does not need to have a key but can also work with just a CA certificate,
so if you got provided with a CA cert but don't have access to the key you can still use this method.
type: string
webPki:
description: |-
Use TLS and the CA certificates trusted by the common web browsers to verify the server.
This can be useful when you e.g. use public AWS S3 or other public available services.
type: object
type: object
required:
- caCert
type: object
type: object
required:
- verification
type: object
required:
- hostname
- principalClaim
- scopes
type: object
static:
description: |-
The [static provider](https://https://docs.stackable.tech/home/nightly/concepts/authentication#_static)
is used to configure a static set of users, identified by username and password.
properties:
userCredentialsSecret:
description: |-
Secret providing the usernames and passwords.
The Secret must contain an entry for every user, with the key being the username and the value the password in plain text.
It must be located in the same namespace as the product using it.
properties:
name:
description: Name of the Secret.
type: string
required:
- name
type: object
required:
- userCredentialsSecret
type: object
tls:
description: |-
The [TLS provider](https://docs.stackable.tech/home/nightly/concepts/authentication#_tls).
The TLS AuthenticationClass is used when users should authenticate themselves with a
TLS certificate.
properties:
clientCertSecretClass:
description: |-
See [ADR017: TLS authentication](https://docs.stackable.tech/home/nightly/contributor/adr/adr017-tls_authentication).
If `client_cert_secret_class` is not set, the TLS settings may also be used for client authentication.
If `client_cert_secret_class` is set, the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass)
will be used to provision client certificates.
nullable: true
type: string
type: object
type: object
required:
- provider
type: object
required:
- spec
title: AuthenticationClass
type: object
served: true
storage: true
subresources: {}