Package google.cloud.gkehub.identityservice.v2alpha

Index

Spec

IdentityService: Configuration for a single membership.

Fields
auth_methods[]

Spec.AuthMethod

A member may support multiple auth methods.

identity_service_options

Spec.IdentityServiceOptions

Optional. non-protocol-related configuration options.

AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

Fields
name

string

Identifier for auth config.

proxy

string

Proxy server address to use for auth method.

Union field auth_config. supported auth configurations. auth_config can be only one of the following:
oidc_config

Spec.AuthMethod.OidcConfig

OIDC specific configuration.

azuread_config

Spec.AuthMethod.AzureADConfig

AzureAD specific Configuration.

google_config

Spec.AuthMethod.GoogleConfig

GoogleConfig specific configuration

saml_config

Spec.AuthMethod.SamlConfig

SAML specific configuration.

ldap_config

Spec.AuthMethod.LdapConfig

LDAP specific configuration.

AzureADConfig

Configuration for the AzureAD Auth flow.

Fields
client_id

string

ID for the registered client application that makes authentication requests to the Azure AD identity provider.

tenant

string

Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.

kubectl_redirect_uri

string

The redirect URL that kubectl uses for authorization.

client_secret

string

Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.

encrypted_client_secret

bytes

Output only. Encrypted AzureAD client secret.

user_claim

string

Optional. Claim in the AzureAD ID Token that holds the user details.

group_format

string

Optional. Format of the AzureAD groups that the client wants for auth.

GoogleConfig

Configuration for the Google Plugin Auth flow.

Fields
disable

bool

Disable automatic configuration of Google Plugin on supported platforms.

LdapConfig

Configuration for the LDAP Auth flow.

Fields
server

Spec.AuthMethod.LdapConfig.ServerConfig

Required. Server settings for the external LDAP server.

user

Spec.AuthMethod.LdapConfig.UserConfig

Required. Defines where users exist in the LDAP directory.

group

Spec.AuthMethod.LdapConfig.GroupConfig

Optional. Contains the properties for locating and authenticating groups in the directory.

service_account

Spec.AuthMethod.LdapConfig.ServiceAccountConfig

Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

GroupConfig

Contains the properties for locating and authenticating groups in the directory.

Fields
base_dn

string

Required. The location of the subtree in the LDAP directory to search for group entries.

id_attribute

string

Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".

filter

string

Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

ServerConfig

Server settings for the external LDAP server.

Fields
host

string

Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".

connection_type

string

Optional. Defines the connection type to communicate with the LDAP server. If starttls or ldaps is specified, the certificate_authority_data should not be empty.

certificate_authority_data

bytes

Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

ServiceAccountConfig

Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

Fields
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following:
simple_bind_credentials

Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials

Credentials for basic auth.

SimpleBindCredentials

The structure holds the LDAP simple binding credential.

Fields
dn

string

Required. The distinguished name(DN) of the service account object/user.

password

string

Required. Input only. The password of the service account object/user.

encrypted_password

bytes

Output only. The encrypted password of the service account object/user.

UserConfig

Defines where users exist in the LDAP directory.

Fields
base_dn

string

Required. The location of the subtree in the LDAP directory to search for user entries.

login_attribute

string

Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".

id_attribute

string

Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".

filter

string

Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".

OidcConfig

Configuration for OIDC Auth flow.

Fields
client_id

string

ID for OIDC client application.

certificate_authority_data

string

PEM-encoded CA for OIDC provider.

issuer_uri

string

URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.

kubectl_redirect_uri

string

Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.

scopes

string

Comma-separated list of identifiers.

extra_params

string

Comma-separated list of key-value pairs.

user_claim

string

Claim in OIDC ID token that holds username.

user_prefix

string

Prefix to prepend to user name.

groups_claim

string

Claim in OIDC ID token that holds group information.

group_prefix

string

Prefix to prepend to group name.

deploy_cloud_console_proxy

bool

Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.

client_secret

string

Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.

encrypted_client_secret

bytes

Output only. Encrypted OIDC Client secret

enable_access_token

bool

Enable access token.

SamlConfig

Configuration for the SAML Auth flow.

Fields
identity_provider_id

string

Required. The entity ID of the SAML IdP.

identity_provider_sso_uri

string

Required. The URI where the SAML IdP exposes the SSO service.

identity_provider_certificates[]

string

Required. The list of IdP certificates to validate the SAML response against.

user_attribute

string

Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the user_prefix).

groups_attribute

string

Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the group_prefix).

user_prefix

string

Optional. Prefix to prepend to user name.

group_prefix

string

Optional. Prefix to prepend to group name.

attribute_mapping

map<string, string>

Optional. The mapping of additional user attributes like nickname, birthday and address etc.. key is the name of this additional attribute. value is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, key is "attribute.nickname" and value is "assertion.nickname".

IdentityServiceOptions

Holds non-protocol-related configuration options.

Fields
session_duration

Duration

Determines the lifespan of STS tokens issued by Anthos Identity Service.

diagnostic_interface

Spec.IdentityServiceOptions.DiagnosticInterface

Configuration options for the AIS diagnostic interface.

DiagnosticInterface

Configuration options for the AIS diagnostic interface.

Fields
enabled

bool

Determines whether to enable the diagnostic interface.

expiration_time

Timestamp

Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.

State

IdentityService: State for a single membership, analyzed and reported by feature controller.

Fields
installed_version

string

Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.

state

State.DeploymentState

Deployment state on this member

failure_reason

string

The reason of the failure.

member_config

Spec

Last reconciled membership configuration

DeploymentState

Deployment state enum

Enums
DEPLOYMENT_STATE_UNSPECIFIED Unspecified state
OK deployment succeeds
ERROR Failure with error.