v1alpha1

type DexIdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   DexIdentityProviderSpec   `json:"spec,omitempty"`
	Status DexIdentityProviderStatus `json:"status,omitempty"`
}

type DexIdentityProviderConditionType string

type DexIdentityProviderConnectorLDAPGroupSearchSpec struct {
	// BaseDN to start the search from. For example "cn=groups,dc=example,dc=com"
	BaseDN string `json:"baseDN"`
	// Filter is an optional filter to apply when searching the directory. For example "(objectClass=posixGroup)"
	Filter string `json:"filter,omitempty"`
	// Scope is the optional scope of the search (default "sub").
	// Can either be:
	// * "sub" - search the whole sub tree
	// * "one" - only search one level
	// +kubebuilder:validation:Enum=sub;one
	Scope string `json:"scope,omitempty"`
	// NameAttr is the attribute of the group that represents its name.
	NameAttr string `json:"nameAttr"`
	// UserMatchers is an array of the field pairs used to match a user to a group.
	// See the "DexIdentityProviderConnectorLDAPGroupSearchUserMatcher" struct for the
	// exact field names
	//
	// Each pair adds an additional requirement to the filter that an attribute in the group
	// match the user's attribute value. For example that the "members" attribute of
	// a group matches the "uid" of the user. The exact filter being added is:
	//
	//   (userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>)
	//
	UserMatchers []DexIdentityProviderConnectorLDAPGroupSearchUserMatcher `json:"userMatchers"`
}

type DexIdentityProviderConnectorLDAPGroupSearchUserMatcher struct {
	// UserAttr is the attribute to match against the user ID.
	UserAttr string `json:"userAttr"`
	// GroupAttr is the attribute to match against the group ID.
	GroupAttr string `json:"groupAttr"`
}

type DexIdentityProviderConnectorLDAPSpec struct {
	// Host is the host and optional port of the LDAP server.
	// If port isn't supplied, it will be guessed based on the TLS configuration.
	Host string `json:"host"`
	// InsecureNoSSL is required to connect to a server without TLS.
	InsecureNoSSL bool `json:"insecureNoSSL,omitempty"`
	// InsecureSkipVerify allows connecting to a server without
	// verifying the TLS certificate.
	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
	// StartTLS allows connecting to a server that supports the StartTLS command.
	// If unsupplied secure connections will use the LDAPS protocol.
	StartTLS bool `json:"startTLS,omitempty"`
	// CASecretRef is an optional reference to a secret containing the CA certificate.
	CASecretRef *reference.LocalSecretReference `json:"caSecretRef,omitempty"`
	// ClientCertificateSecretRef is an optional reference to a secret containing the client certificate and key.
	ClientCertificateSecretRef *reference.LocalSecretReference `json:"clientCertificateSecretRef,omitempty"`
	// BindUsername is the DN of the user to bind with.
	// The connector uses these credentials to search for users and groups.
	BindUsername string `json:"bindUsername"`
	// BindPasswordSecretRef is a reference to a secret containing the bind password.
	// The connector uses these credentials to search for users and groups.
	BindPasswordSecretRef reference.LocalSecretReference `json:"bindPasswordSecretRef"`
	// UsernamePrompt allows users to override the username attribute (displayed
	// in the username/password prompt). If unset, the handler will use
	// "Username".
	UsernamePrompt string `json:"usernamePrompt,omitempty"`
	// UserSearch contains configuration for searching LDAP users.
	UserSearch DexIdentityProviderConnectorLDAPUserSearchSpec `json:"userSearch"`
	// GroupSearch contains configuration for searching LDAP groups.
	GroupSearch DexIdentityProviderConnectorLDAPGroupSearchSpec `json:"groupSearch"`
}

type DexIdentityProviderConnectorLDAPUserSearchSpec struct {
	// BaseDN to start the search from. For example "cn=users,dc=example,dc=com"
	BaseDN string `json:"baseDN"`
	// Filter is an optional filter to apply when searching the directory. For example "(objectClass=person)"
	Filter string `json:"filter,omitempty"`
	// Username is the attribute to match against the inputted username. This will be translated and combined
	// with the other filter as "(<attr>=<username>)".
	Username string `json:"username"`
	// Scope is the optional scope of the search (default "sub").
	// Can either be:
	// * "sub" - search the whole sub tree
	// * "one" - only search one level
	// +kubebuilder:validation:Enum=sub;one
	Scope string `json:"scope,omitempty"`
	// IDAttr is the attribute to use as the user ID (default "uid").
	IDAttr string `json:"idAttr,omitempty"`
	// EmailAttr is the attribute to use as the user email (default "mail").
	EmailAttr string `json:"emailAttr,omitempty"`
	// NameAttr is the attribute to use as the display name for the user.
	NameAttr string `json:"nameAttr,omitempty"`
	// PreferredUsernameAttr is the attribute to use as the preferred username for the user.
	PreferredUsernameAttr string `json:"preferredUsernameAttr,omitempty"`
	// EmailSuffix if set, will be appended to the idAttr to construct the email claim.
	// This should not include the @ character.
	EmailSuffix string `json:"emailSuffix,omitempty"`
}

type DexIdentityProviderConnectorOIDCClaimMapping struct {
	// PreferredUsernameKey is the key which contains the preferred username claims, defaults to "preferred_username".
	PreferredUsernameKey string `json:"preferred_username,omitempty"`
	// EmailKey is the key which contains the email claims, defaults to "email".
	EmailKey string `json:"email,omitempty"`
	// GroupsKey is the key which contains the groups claims, defaults to "groups".
	GroupsKey string `json:"groups,omitempty"`
}

type DexIdentityProviderConnectorOIDCSpec struct {
	// Issuer is the URL of the OIDC issuer.
	Issuer string `json:"issuer"`
	// ClientSecretRef is a reference to a secret containing the OAuth client id and secret.
	ClientSecretRef reference.LocalSecretReference `json:"clientSecretRef"`
	// RedirectURI is the OAuth redirect URI.
	RedirectURI string `json:"redirectURI"`
	// BasicAuthUnsupported causes client_secret to be passed as POST parameters instead of basic
	// auth. This is specifically "NOT RECOMMENDED" by the OAuth2 RFC, but some
	// providers require it.
	//
	// https://tools.ietf.org/html/rfc6749#section-2.3.1
	BasicAuthUnsupported *bool `json:"basicAuthUnsupported,omitempty"`
	// Scopes is an optional list of scopes to request.
	// If omitted, defaults to "profile" and "email".
	Scopes []string `json:"scopes,omitempty"`
	// CASecretRef is an optional reference to a secret containing the CA certificate.
	// Only required if your provider uses a self-signed certificate.
	CASecretRef *reference.LocalSecretReference `json:"caSecretRef,omitempty"`
	// InsecureSkipVerify disables TLS certificate verification.
	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
	// InsecureSkipEmailVerified if set will override the value of email_verified to true in the returned claims.
	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"`
	// InsecureEnableGroups enables groups claims.
	InsecureEnableGroups bool `json:"insecureEnableGroups,omitempty"`
	// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
	// within the Authentication Request that the Authorization Server is being requested to use for
	// processing requests from this Client, with the values appearing in order of preference.
	AcrValues []string `json:"acrValues,omitempty"`
	// GetUserInfo uses the userinfo endpoint to get additional claims for
	// the token. This is especially useful where upstreams return "thin"
	// id tokens
	GetUserInfo bool `json:"getUserInfo,omitempty"`
	// UserIDKey is the claim key to use for the user ID (default sub).
	UserIDKey string `json:"userIDKey,omitempty"`
	// UserNameKey is the claim key to use for the username (default name).
	UserNameKey string `json:"userNameKey,omitempty"`
	// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent).
	PromptType string `json:"promptType,omitempty"`
	// OverrideClaimMapping will be used to override the options defined in claimMappings.
	// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
	// This setting allows you to override the default behavior of Dex and enforce the mappings defined in `claimMapping`.
	// Defaults to false.
	OverrideClaimMapping bool `json:"overrideClaimMapping,omitempty"`
	// ClaimMapping is used to map non-standard claims to standard claims.
	// Some providers return non-standard claims (eg. mail).
	// https://openid.net/specs/openid-connect-core-1_0.html#Claims
	ClaimMapping *DexIdentityProviderConnectorOIDCClaimMapping `json:"claimMapping,omitempty"`
}

type DexIdentityProviderConnectorSpec struct {
	// Type is the connector type to use.
	//+kubebuilder:validation:Enum=ldap;oidc
	Type DexIdentityProviderConnectorType `json:"type"`
	// Name is the connector name.
	Name string `json:"name"`
	// ID is the connector ID.
	ID string `json:"id"`
	// LDAP holds configuration for the LDAP connector.
	LDAP *DexIdentityProviderConnectorLDAPSpec `json:"ldap,omitempty"`
	// OIDC holds configuration for the OIDC connector.
	OIDC *DexIdentityProviderConnectorOIDCSpec `json:"oidc,omitempty"`
}

type DexIdentityProviderConnectorType string

type DexIdentityProviderExpirySpec struct {
	// SigningKeys defines the duration of time after which the SigningKeys will be rotated.
	SigningKeys *metav1.Duration `json:"signingKeys,omitempty"`
	// IDTokens defines the duration of time for which the IdTokens will be valid.
	IDTokens *metav1.Duration `json:"idTokens,omitempty"`
	// AuthRequests defines the duration of time for which the AuthRequests will be valid.
	AuthRequests *metav1.Duration `json:"authRequests,omitempty"`
	// DeviceRequests defines the duration of time for which the DeviceRequests will be valid.
	DeviceRequests *metav1.Duration `json:"deviceRequests,omitempty"`
	// RefreshTokens defines refresh tokens expiry policy.
	RefreshTokens *DexIdentityProviderRefreshTokenSpec `json:"refreshTokens,omitempty"`
}

type DexIdentityProviderFrontendSpec struct {
	// Dir is a file path to static web assets.
	//
	// It is expected to contain the following directories:
	//   * static - Static static served at "( issuer URL )/static".
	//   * templates - HTML templates controlled by dex.
	//   * themes/(theme) - Static static served at "( issuer URL )/theme".
	Dir string `json:"dir,omitempty"`
	// LogoURL is the URL of the logo to use in the HTML templates.
	// Defaults to "( issuer URL )/theme/logo.png"
	LogoURL string `json:"logoURL,omitempty"`
	// Issuer is the name of the issuer, used in the HTML templates.
	// Defaults to "dex".
	Issuer string `json:"issuer,omitempty"`
	// Theme is the name of the theme to use.
	// Defaults to "light".
	Theme string `json:"theme,omitempty"`
}

type DexIdentityProviderGRPCSpec struct {
	// Addr is the address to bind the gRPC server to.
	Addr string `json:"addr"`
	// CertificateSecretRef is an optional reference to a secret containing the TLS certificate and key
	// to use for the gRPC server.
	CertificateSecretRef *reference.LocalSecretReference `json:"certificateSecretRef,omitempty"`
	// ClientCASecretRef is an optional reference to a secret containing the client CA.
	ClientCASecretRef *reference.LocalSecretReference `json:"clientCASecretRef,omitempty"`
	// Reflection enables gRPC server reflection.
	Reflection bool `json:"reflection,omitempty"`
	// Annotations is an optional map of additional annotations to add to the gRPC server's service.
	Annotations map[string]string `json:"annotations,omitempty"`
}

type DexIdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []DexIdentityProvider `json:"items"`
}

type DexIdentityProviderLocalStorageSpec struct {
	// MountPath is the path at which the local storage will be mounted in the container.
	MountPath string `json:"mountPath"`
	// Size is the size of the persistent volume that will be
	// used to store Dex's local sqlite database.
	Size string `json:"size"`
	// StorageClassName is the name of the storage class that will be
	// used to provision the persistent volume.
	StorageClassName *string `json:"storageClassName,omitempty"`
}

type DexIdentityProviderLoggerSpec struct {
	// Level sets logging level severity.
	Level string `json:"level,omitempty"`
	// Format specifies the format to be used for logging.
	Format string `json:"format,omitempty"`
}

type DexIdentityProviderOAuth2Spec struct {
	// GrantTypes is a list of allowed grant types, defaults to all supported types.
	GrantTypes []string `json:"grantTypes,omitempty"`
	// ResponseTypes is a list of allowed response types, defaults to all supported types.
	ResponseTypes []string `json:"responseTypes,omitempty"`
	// SkipApprovalScreen, if specified, do not prompt the user to approve client authorization. The
	// act of logging in implies authorization.
	SkipApprovalScreen bool `json:"skipApprovalScreen,omitempty"`
	// AlwaysShowLoginScreen, if specified, show the connector selection screen even if there's only one.
	AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen,omitempty"`
	// PasswordConnector is a specific connector to user for password grants.
	PasswordConnector string `json:"passwordConnector,omitempty"`
}

type DexIdentityProviderPhase string

type DexIdentityProviderRefreshTokenSpec struct {
	// DisableRotation disables refresh token rotation.
	DisableRotation bool `json:"disableRotation,omitempty"`
	// ReuseInterval defines the duration of time after which a refresh token can be reused.
	ReuseInterval *metav1.Duration `json:"reuseInterval,omitempty"`
	// AbsoluteLifetime defines the duration of time after which a refresh token will expire.
	AbsoluteLifetime *metav1.Duration `json:"absoluteLifetime,omitempty"`
	// ValidIfNotUsedFor defines the duration of time after which a refresh token will expire if not used.
	ValidIfNotUsedFor *metav1.Duration `json:"validIfNotUsedFor,omitempty"`
}

type DexIdentityProviderSpec struct {
	// Image is the Dex IdP image to use.
	Image string `json:"image"`
	// Replicas is the optional number of replicas of the Dex IdP server to run.
	// Only supported if using postgresql storage.
	Replicas *int32 `json:"replicas,omitempty"`
	// ClientCertificateSecretRef is an optional reference to a secret containing a client
	// certificate that the operator can use for connecting to the Dex IdP API server.
	ClientCertificateSecretRef *reference.LocalSecretReference `json:"clientCertificateSecretRef,omitempty"`
	// Issuer is the base path of Dex and the external name of the OpenID
	// Connect service. This is the canonical URL that all clients MUST use
	// to refer to Dex.
	Issuer string `json:"issuer"`
	// Storage configures the storage for Dex.
	Storage DexIdentityProviderStorageSpec `json:"storage"`
	// Web holds configuration for the web server.
	Web DexIdentityProviderWebSpec `json:"web"`
	// GRPC holds configuration for the gRPC server.
	GRPC DexIdentityProviderGRPCSpec `json:"grpc"`
	// OAuth2 holds configuration for OAuth2.
	OAuth2 *DexIdentityProviderOAuth2Spec `json:"oauth2,omitempty"`
	// Expiry holds configuration for tokens, signing keys, etc.
	Expiry *DexIdentityProviderExpirySpec `json:"expiry,omitempty"`
	// Frontend holds the server's frontend templates and asset configuration.
	Frontend *DexIdentityProviderFrontendSpec `json:"frontend,omitempty"`
	// Logger holds configuration required to customize logging for dex.
	Logger *DexIdentityProviderLoggerSpec `json:"logger,omitempty"`
	// Connectors holds configuration for connectors.
	// +kubebuilder:validation:MinItems=1
	Connectors []DexIdentityProviderConnectorSpec `json:"connectors"`
	// LocalStorage configures local persistent storage for the Dex container.
	// This is useful when using a SQLite database.
	LocalStorage *DexIdentityProviderLocalStorageSpec `json:"localStorage,omitempty"`
}

type DexIdentityProviderStatus struct {
	// Phase is the current state of the Dex idP server.
	Phase DexIdentityProviderPhase `json:"phase,omitempty"`
	// ObservedGeneration is the most recent generation observed for this DexIdentityProvider by the controller.
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// Conditions represents the latest available observations of an DexIdentityProvider's current state.
	Conditions []metav1.Condition `json:"conditions,omitempty"`
	// ClientRefs is a list of clients that are using this DexIdentityProvider.
	ClientRefs []api.DexOAuth2ClientReference `json:"clientRefs,omitempty"`
}

type DexIdentityProviderStorageNetworkDBSpec struct {
	// Database is the name of the database to connect to.
	Database string `json:"database"`
	// CredentialsSecretRef is a reference to a secret containing the
	// username and password to use for authentication.
	CredentialsSecretRef reference.LocalSecretReference `json:"credentialsSecretRef"`
	// Host is the host to connect to.
	Host string `json:"host"`
	// Port is the port to connect to.
	Port int `json:"port"`
	// ConnectionTimeout is the maximum amount of time to wait for a connection to become available.
	ConnectionTimeout *metav1.Duration `json:"connectionTimeout,omitempty"`
	// MaxOpenConns is the maximum number of open connections to the database (default 5).
	MaxOpenConns *int `json:"maxOpenConns,omitempty"`
	// MaxIdleConns is the maximum number of connections in the idle connection pool (default 5).
	MaxIdleConns *int `json:"maxIdleConns,omitempty"`
	// ConnMaxLifetime is the maximum amount of time a connection may be reused (default forever).
	ConnMaxLifetime *metav1.Duration `json:"connMaxLifetime,omitempty"`
	// SSL holds optional TLS configuration for postgres.
	SSL *DexIdentityProviderStorageSSLSpec `json:"ssl,omitempty"`
}

type DexIdentityProviderStorageSSLSpec struct {
	// Mode is the SSL mode to use.
	Mode string `json:"mode,omitempty"`
	// ServerName ensures that the certificate matches the given hostname the client is connecting to.
	ServerName string `json:"serverName,omitempty"`
	// CASecretRef is an optional reference to a secret containing the CA certificate.
	CASecretRef *reference.LocalSecretReference `json:"caSecretRef,omitempty"`
	// ClientCertificateSecretRef is an optional reference to a secret containing the client certificate and key.
	ClientCertificateSecretRef *reference.LocalSecretReference `json:"clientCertificateSecretRef,omitempty"`
}

type DexIdentityProviderStorageSpec struct {
	// Type is the storage type to use.
	// +kubebuilder:validation:Enum=memory;sqlite3;postgres
	Type DexIdentityProviderStorageType `json:"type"`
	// Sqlite3 holds the configuration for the sqlite3 storage type.
	Sqlite3 *DexIdentityProviderStorageSqlite3Spec `json:"sqlite3,omitempty"`
	// Postgres holds the configuration for the postgres storage type.
	Postgres *DexIdentityProviderStorageNetworkDBSpec `json:"postgres,omitempty"`
}

type DexIdentityProviderStorageSqlite3Spec struct {
	// File is the path to the sqlite3 database file.
	File string `json:"file"`
}

type DexIdentityProviderStorageType string

type DexIdentityProviderWebSpec struct {
	// HTTP is the address to bind HTTP server to.
	HTTP string `json:"http,omitempty"`
	// HTTPS is the address to bind HTTPS server to.
	HTTPS string `json:"https,omitempty"`
	// CertificateSecretRef is an optional reference to a secret containing the TLS certificate and key
	// to use for HTTPS.
	CertificateSecretRef *reference.LocalSecretReference `json:"certificateSecretRef,omitempty"`
	// AllowedOrigins is a list of allowed origins for CORS requests.
	AllowedOrigins []string `json:"allowedOrigins,omitempty"`
	// Annotations is an optional map of additional annotations to add to the web server's service.
	Annotations map[string]string `json:"annotations,omitempty"`
}

type DexOAuth2Client struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   DexOAuth2ClientSpec   `json:"spec,omitempty"`
	Status DexOAuth2ClientStatus `json:"status,omitempty"`
}

type DexOAuth2ClientList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []DexOAuth2Client `json:"items"`
}

type DexOAuth2ClientPhase string

type DexOAuth2ClientSpec struct {
	// IdentityProviderRef is a reference to the identity provider which this
	// client is associated with.
	IdentityProviderRef api.DexIdentityProviderReference `json:"identityProviderRef"`
	// SecretName is the name of the secret that will be created to store the
	// OAuth2 client id and client secret.
	SecretName string `json:"secretName"`
	// RedirectURIs is a list of allowed redirect URLs for the client.
	RedirectURIs []string `json:"redirectURIs,omitempty"`
	// TrustedPeers are a list of peers which can issue tokens on this client's
	// behalf using the dynamic "oauth2:server:client_id:(client_id)" scope.
	// If a peer makes such a request, this client's ID will appear as the ID Token's audience.
	TrustedPeers []string `json:"trustedPeers,omitempty"`
	// Public indicates that this client is a public client, such as a mobile app.
	// Public clients must use either use a redirectURL 127.0.0.1:X or "urn:ietf:wg:oauth:2.0:oob".
	Public bool `json:"public,omitempty"`
	// Name is the human-readable name of the client.
	Name string `json:"name,omitempty"`
	// LogoURL is the URL to a logo for the client.
	LogoURL string `json:"logoURL,omitempty"`
}

type DexOAuth2ClientStatus struct {
	// Phase is the current phase of the OAuth2 client.
	Phase DexOAuth2ClientPhase `json:"phase,omitempty"`
	// ObservedGeneration is the most recent generation observed for this OAuth2 client by the controller.
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// Reason is a human readable message indicating details about why the OAuth2 client is in this condition.
	Reason string `json:"reason,omitempty"`
}