fe51c8c1bc
Adds a self-contained minikube environment for local development and
testing alongside the existing production env.
env: minikube
- cluster.domain: minikube (browser DNS routes *.minikube → minikube ip)
- tls issuer: mkcert (CA-signed via cert-manager mkcert ClusterIssuer)
- storageClass: standard (minikube hostpath provisioner)
- backups disabled; storagebox disabled
- excludes argocd, forgejo, hcloud-csi (manual kubectl apply for testing)
prototypes/garage:
- hand-rolled S3-compatible object store (single Deployment + PVC)
- mittwald-generated rpc_secret + admin_token (hex)
- PostSync init Job: assigns cluster layout, ensures bucket and access
key, writes ocis-s3-credentials cross-namespace into ocis ns
- idempotent: skips if k8s secret already populated; otherwise rotates
the garage key (admin API only returns secretAccessKey on create)
- cross-ns RBAC re-pinned via zz-cross-ns-rbac-fix overlay (ns.ytt.yaml
clobbers explicit namespace fields)
ocis:
- new admin-user-id init Job ensures secret.user-id is a valid UUID v4
(mittwald can't generate UUIDs; ocis-settings rejects non-UUID ids)
- mittwald no longer manages user-id; existing prod UUIDs preserved
- insecure flag (oidcIdpInsecure / ocisHttpApiInsecure / ocmInsecure)
parameterized; defaults to false; minikube sets true for self-signed
OIDC issuer URL trust
other prototypes:
- victoria-metrics-single helm values ytt-ified (storageClassName)
- grafana admin secret now generated by mittwald (was hand-created in
prod; manifest is no-op there since mittwald only fills empty fields)
flake.nix: minikube + docker + postgresql added to dev shell.
266 lines
14 KiB
YAML
266 lines
14 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
controller-gen.kubebuilder.io/version: v0.17.1
|
|
name: apiauths.hub.traefik.io
|
|
namespace: traefik
|
|
spec:
|
|
group: hub.traefik.io
|
|
names:
|
|
kind: APIAuth
|
|
listKind: APIAuthList
|
|
plural: apiauths
|
|
singular: apiauth
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: APIAuth defines the authentication configuration for APIs.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: The desired behavior of this APIAuth.
|
|
properties:
|
|
apiKey:
|
|
description: APIKey configures API key authentication.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
isDefault:
|
|
description: |-
|
|
IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace.
|
|
Only one APIAuth per namespace should have isDefault set to true.
|
|
type: boolean
|
|
jwt:
|
|
description: JWT configures JWT authentication.
|
|
properties:
|
|
appIdClaim:
|
|
description: |-
|
|
AppIDClaim is the name of the claim holding the identifier of the application.
|
|
This field is sometimes named `client_id`.
|
|
type: string
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
description: ForwardHeaders specifies additional headers to forward with the request.
|
|
type: object
|
|
jwksFile:
|
|
description: |-
|
|
JWKSFile contains the JWKS file content for JWT verification.
|
|
Mutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers.
|
|
type: string
|
|
jwksUrl:
|
|
description: |-
|
|
JWKSURL is the URL to fetch the JWKS for JWT verification.
|
|
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers.
|
|
Deprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation.
|
|
type: string
|
|
x-kubernetes-validations:
|
|
- message: must be a valid HTTPS URL
|
|
rule: isURL(self) && self.startsWith('https://')
|
|
publicKey:
|
|
description: |-
|
|
PublicKey is the PEM-encoded public key for JWT verification.
|
|
Mutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers.
|
|
type: string
|
|
signingSecretName:
|
|
description: |-
|
|
SigningSecretName is the name of the Kubernetes Secret containing the signing secret.
|
|
The secret must be of type Opaque and contain a key named 'value'.
|
|
Mutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers.
|
|
maxLength: 253
|
|
type: string
|
|
stripAuthorizationHeader:
|
|
description: StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request.
|
|
type: boolean
|
|
tokenNameClaim:
|
|
description: |-
|
|
TokenNameClaim is the name of the claim holding the name of the token.
|
|
This name, if provided, will be used in the metrics.
|
|
type: string
|
|
tokenQueryKey:
|
|
description: TokenQueryKey specifies the query parameter name for the JWT token.
|
|
type: string
|
|
trustedIssuers:
|
|
description: |-
|
|
TrustedIssuers defines multiple JWKS providers with optional issuer validation.
|
|
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and JWKSURL.
|
|
items:
|
|
description: TrustedIssuer represents a trusted JWT issuer with its associated JWKS endpoint for token verification.
|
|
properties:
|
|
issuer:
|
|
description: |-
|
|
Issuer is the expected value of the "iss" claim.
|
|
If specified, tokens must have this exact issuer to be validated against this JWKS.
|
|
The issuer value must match exactly, including trailing slashes and URL encoding.
|
|
If omitted, this JWKS acts as a fallback for any issuer.
|
|
type: string
|
|
jwksUrl:
|
|
description: JWKSURL is the URL to fetch the JWKS from.
|
|
type: string
|
|
x-kubernetes-validations:
|
|
- message: must be a valid HTTPS URL
|
|
rule: isURL(self) && self.startsWith('https://')
|
|
required:
|
|
- jwksUrl
|
|
type: object
|
|
maxItems: 100
|
|
minItems: 1
|
|
type: array
|
|
required:
|
|
- appIdClaim
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: exactly one of signingSecretName, publicKey, jwksFile, jwksUrl, or trustedIssuers must be specified
|
|
rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), has(self.jwksUrl), has(self.trustedIssuers)].filter(x, x).size() == 1'
|
|
- message: trustedIssuers must not be empty when specified
|
|
rule: '!has(self.trustedIssuers) || size(self.trustedIssuers) > 0'
|
|
- message: only one entry in trustedIssuers may omit the issuer field
|
|
rule: '!has(self.trustedIssuers) || self.trustedIssuers.filter(x, !has(x.issuer) || x.issuer == "").size() <= 1'
|
|
ldap:
|
|
description: LDAP configures LDAP authentication.
|
|
properties:
|
|
attribute:
|
|
default: cn
|
|
description: |-
|
|
Attribute is the LDAP object attribute used to form a bind DN when sending bind queries.
|
|
The bind DN is formed as <Attribute>=<Username>,<BaseDN>.
|
|
type: string
|
|
baseDn:
|
|
description: BaseDN is the base domain name that should be used for bind and search queries.
|
|
type: string
|
|
bindDn:
|
|
description: |-
|
|
BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode.
|
|
If empty, an anonymous bind will be done.
|
|
type: string
|
|
bindPasswordSecretName:
|
|
description: |-
|
|
BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN.
|
|
The secret must contain a key named 'password'.
|
|
maxLength: 253
|
|
type: string
|
|
certificateAuthority:
|
|
description: |-
|
|
CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the
|
|
connection uses TLS but that the certificate was signed by a custom Certificate Authority.
|
|
type: string
|
|
insecureSkipVerify:
|
|
description: InsecureSkipVerify controls whether the server's certificate chain and host name is verified.
|
|
type: boolean
|
|
searchFilter:
|
|
description: |-
|
|
SearchFilter is used to filter LDAP search queries.
|
|
Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))
|
|
%s can be used as a placeholder for the username.
|
|
type: string
|
|
startTls:
|
|
description: StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server.
|
|
type: boolean
|
|
url:
|
|
description: URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port.
|
|
type: string
|
|
x-kubernetes-validations:
|
|
- message: must be a valid LDAP URL
|
|
rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://'))
|
|
required:
|
|
- baseDn
|
|
- url
|
|
type: object
|
|
required:
|
|
- isDefault
|
|
type: object
|
|
x-kubernetes-validations:
|
|
- message: exactly one authentication method must be specified
|
|
rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() == 1'
|
|
status:
|
|
description: The current status of this APIAuth.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
hash:
|
|
description: Hash is a hash representing the APIAuth.
|
|
type: string
|
|
syncedAt:
|
|
format: date-time
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|