Package google.cloud.gkehub.identityservice.v2

Index

Spec (message)
Spec.AuthMethod (message)
Spec.AuthMethod.AzureADConfig (message)
Spec.AuthMethod.GoogleConfig (message)
Spec.AuthMethod.LdapConfig (message)
Spec.AuthMethod.LdapConfig.GroupConfig (message)
Spec.AuthMethod.LdapConfig.ServerConfig (message)
Spec.AuthMethod.LdapConfig.ServiceAccountConfig (message)
Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials (message)
Spec.AuthMethod.LdapConfig.UserConfig (message)
Spec.AuthMethod.OidcConfig (message)
Spec.AuthMethod.SamlConfig (message)
Spec.IdentityServiceOptions (message)
Spec.IdentityServiceOptions.DiagnosticInterface (message)
State (message)
State.DeploymentState (enum)

Spec

IdentityService: Configuration for a single membership.

Fields

Fields
`auth_methods[]`	`Spec.AuthMethod` A member may support multiple auth methods.
`identity_service_options`	`Spec.IdentityServiceOptions` Optional. non-protocol-related configuration options.

auth_methods[]

Spec.AuthMethod

A member may support multiple auth methods.

identity_service_options

Spec.IdentityServiceOptions

Optional. non-protocol-related configuration options.

AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

Fields
`name`	`string` Identifier for auth config.
`proxy`	`string` Proxy server address to use for auth method.
Union field `auth_config`. supported auth configurations. `auth_config` can be only one of the following:
`oidc_config`	`Spec.AuthMethod.OidcConfig` OIDC specific configuration.
`azuread_config`	`Spec.AuthMethod.AzureADConfig` AzureAD specific Configuration.
`google_config`	`Spec.AuthMethod.GoogleConfig` GoogleConfig specific configuration
`saml_config`	`Spec.AuthMethod.SamlConfig` SAML specific configuration.
`ldap_config`	`Spec.AuthMethod.LdapConfig` LDAP specific configuration.

AzureADConfig

Configuration for the AzureAD Auth flow.

Fields
`client_id`	`string` ID for the registered client application that makes authentication requests to the Azure AD identity provider.
`tenant`	`string` Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.
`kubectl_redirect_uri`	`string` The redirect URL that kubectl uses for authorization.
`client_secret`	`string` Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.
`encrypted_client_secret`	`bytes` Output only. Encrypted AzureAD client secret.
`user_claim`	`string` Optional. Claim in the AzureAD ID Token that holds the user details.
`group_format`	`string` Optional. Format of the AzureAD groups that the client wants for auth.

GoogleConfig

Configuration for the Google Plugin Auth flow.

Fields

Fields
`disable`	`bool` Disable automatic configuration of Google Plugin on supported platforms.

disable

bool

Disable automatic configuration of Google Plugin on supported platforms.

LdapConfig

Configuration for the LDAP Auth flow.

Fields
`server`	`Spec.AuthMethod.LdapConfig.ServerConfig` Required. Server settings for the external LDAP server.
`user`	`Spec.AuthMethod.LdapConfig.UserConfig` Required. Defines where users exist in the LDAP directory.
`group`	`Spec.AuthMethod.LdapConfig.GroupConfig` Optional. Contains the properties for locating and authenticating groups in the directory.
`service_account`	`Spec.AuthMethod.LdapConfig.ServiceAccountConfig` Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

GroupConfig

Contains the properties for locating and authenticating groups in the directory.

Fields

Fields
`base_dn`	`string` Required. The location of the subtree in the LDAP directory to search for group entries.
`id_attribute`	`string` Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
`filter`	`string` Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

base_dn

string

Required. The location of the subtree in the LDAP directory to search for group entries.

id_attribute

string

Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".

filter

string

Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

ServerConfig

Server settings for the external LDAP server.

Fields

Fields
`host`	`string` Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
`connection_type`	`string` Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
`certificate_authority_data`	`bytes` Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

host

string

Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".

connection_type

string

Optional. Defines the connection type to communicate with the LDAP server. If starttls or ldaps is specified, the certificate_authority_data should not be empty.

certificate_authority_data

bytes

Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

ServiceAccountConfig

Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

Fields

Fields
Union field `authentication_mechanism`. Guarantees that the user supplies one authentication mechanism at a time. `authentication_mechanism` can be only one of the following:
`simple_bind_credentials`	`Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials` Credentials for basic auth.

Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following:

simple_bind_credentials

Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials

Credentials for basic auth.

SimpleBindCredentials

The structure holds the LDAP simple binding credential.

Fields

Fields
`dn`	`string` Required. The distinguished name(DN) of the service account object/user.
`password`	`string` Required. Input only. The password of the service account object/user.
`encrypted_password`	`bytes` Output only. The encrypted password of the service account object/user.

dn

string

Required. The distinguished name(DN) of the service account object/user.

password

string

Required. Input only. The password of the service account object/user.

encrypted_password

bytes

Output only. The encrypted password of the service account object/user.

UserConfig

Defines where users exist in the LDAP directory.

Fields
`base_dn`	`string` Required. The location of the subtree in the LDAP directory to search for user entries.
`login_attribute`	`string` Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
`id_attribute`	`string` Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
`filter`	`string` Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".

OidcConfig

Configuration for OIDC Auth flow.

Fields
`client_id`	`string` ID for OIDC client application.
`certificate_authority_data`	`string` PEM-encoded CA for OIDC provider.
`issuer_uri`	`string` URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.
`kubectl_redirect_uri`	`string` Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.
`scopes`	`string` Comma-separated list of identifiers.
`extra_params`	`string` Comma-separated list of key-value pairs.
`user_claim`	`string` Claim in OIDC ID token that holds username.
`user_prefix`	`string` Prefix to prepend to user name.
`groups_claim`	`string` Claim in OIDC ID token that holds group information.
`group_prefix`	`string` Prefix to prepend to group name.
`deploy_cloud_console_proxy`	`bool` Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.
`client_secret`	`string` Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.
`encrypted_client_secret`	`bytes` Output only. Encrypted OIDC Client secret
`enable_access_token`	`bool` Enable access token.

SamlConfig

Configuration for the SAML Auth flow.

Fields
`identity_provider_id`	`string` Required. The entity ID of the SAML IdP.
`identity_provider_sso_uri`	`string` Required. The URI where the SAML IdP exposes the SSO service.
`identity_provider_certificates[]`	`string` Required. The list of IdP certificates to validate the SAML response against.
`user_attribute`	`string` Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `user_prefix`).
`groups_attribute`	`string` Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `group_prefix`).
`user_prefix`	`string` Optional. Prefix to prepend to user name.
`group_prefix`	`string` Optional. Prefix to prepend to group name.
`attribute_mapping`	`map<string, string>` Optional. The mapping of additional user attributes like nickname, birthday and address etc.. `key` is the name of this additional attribute. `value` is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, `key` is "attribute.nickname" and `value` is "assertion.nickname".

IdentityServiceOptions

Holds non-protocol-related configuration options.

Fields

Fields
`session_duration`	`Duration` Determines the lifespan of STS tokens issued by Anthos Identity Service.
`diagnostic_interface`	`Spec.IdentityServiceOptions.DiagnosticInterface` Configuration options for the AIS diagnostic interface.

session_duration

Duration

Determines the lifespan of STS tokens issued by Anthos Identity Service.

diagnostic_interface

Spec.IdentityServiceOptions.DiagnosticInterface

Configuration options for the AIS diagnostic interface.

DiagnosticInterface

Configuration options for the AIS diagnostic interface.

Fields

Fields
`enabled`	`bool` Determines whether to enable the diagnostic interface.
`expiration_time`	`Timestamp` Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.

enabled

bool

Determines whether to enable the diagnostic interface.

expiration_time

Timestamp

Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.

State

IdentityService: State for a single membership, analyzed and reported by feature controller.

Fields
`installed_version`	`string` Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.
`state`	`State.DeploymentState` Deployment state on this member
`failure_reason`	`string` The reason of the failure.
`member_config`	`Spec` Last reconciled membership configuration

DeploymentState

Deployment state enum

Enums
`DEPLOYMENT_STATE_UNSPECIFIED`	Unspecified state
`OK`	deployment succeeds
`ERROR`	Failure with error.