import * as pulumi from "@pulumi/pulumi"; /** * Creates an OIDC configuration in an OVHcloud Managed Kubernetes cluster. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as ovh from "@ovhcloud/pulumi-ovh"; * * const myOidc = new ovh.cloudproject.KubeOidc("my_oidc", { * serviceName: projectid, * kubeId: mykube.id, * clientId: "xxx", * issuerUrl: "https://ovh.com", * oidcUsernameClaim: "an-email", * oidcUsernamePrefix: "ovh:", * oidcGroupsClaims: ["groups"], * oidcGroupsPrefix: "ovh:", * oidcRequiredClaims: ["claim1=val1"], * oidcSigningAlgs: ["RS512"], * oidcCaContent: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVYm9YRkZrL1hCQmdQUUI4UHlqbkttUGVWekNjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpFd01UUXdOalE0TlROYUZ3MHlNekV3Ck1UUXdOalE0TlROYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQytPMk53bGx2QTQyT05SUHMyZWlqTUp2UHhpN21RblVSS3FrOHJEV1VkCkwzZU0yM1JXeVhtS1AydDQ5Zi9LVGsweEZNVStOSTUzTEhwWmh6N3NpK3dEUFUvWWZWSS9rQmZsRm8zeVZCMSsKZWdCSnpyNGIrQ3FoaWlCUkh0Vm5LblFKUmdvOVJjVkxhRm82UEY0N1V0UWJ2bWVuNGdERnExVkYwVHhUdnFMdwpIMzRZL0U2QUJsSlZnWFBzaWQzNm54eTErNnlKV05vRXNVekFiekpWMHhzTGhxc2hOazA0TWx4YnBhcG1XcEUxCmFFMHRIZGpjUlI3Y1dTRUUwMnRSQzNYL2tSNjBKb3MxR0N0Y0ZQTTVIN3NjOFBXNFRUem1EWWhOeDRiVjV4T28KU0xYRnI5ajBzZEgxbm1wSlI1dWxJT2dPTWV3MHA2d3JOYVV2MGpxc1hzdVdqMVpxdTRLRi81aEQ3azVhRlhKNQpjYWNTUi9mRWxreW1uZis0eHZFOG8wdkRWNFR5NHo3K3lSS1U0clZvZFNBZWZIN3lqeitLV1RRck96L0lHU2NwCmV1YTdqV0hRMDdMYWxyTjV2b0tFaU1JM3MrWjhzeUdVUGVyYXQwdzJMWlc3NnhxVGl4R002clZxUldxVlQ4L1oKQTJMMEc4WGRvNTZvV2lFYVF5RkJtRDFnMXU2UEsvTmFGVDI1L2tTNWJ1dnF5L1dLVGt0UVNhNHNZc1ZLbUlQTQp0Zys0NUZ2aFErNkRuQzd0TmVnaTZDTkdTb0w0R1dPOEE5UDZRNjE5RkJJZ1VjcGpFMTgvUHpQOEJmcTAxajhnCjZmdm1jNkVPMkxHVHhDcW1DbVp0TnI3OCtQaUxkMHZIY3pqY3E3NzhiNW5WRXRpUVNRQkUyb0ozTVlIZUFIUUkKYVFJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVUpaMUhlVmx1U3pjY0U2NEZQYWtuNkRBWnhmSXdId1lEVlIwagpCQmd3Rm9BVUpaMUhlVmx1U3pjY0U2NEZQYWtuNkRBWnhmSXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBQlhNSlU2MjJZVFZVNnZ1K2svNnkwMGNaWlRmVnZtdVJMOXhTcWxVM0I1QmQKVWdyVWx1TmdjN2dhUUlrYzkvWmh2MnhNd0xxUldMWEhiTWx1NkNvdkNiVTVpeWt0NHVWMnl5UzlZYWhmVVRNVQo3TVE0WFRta2hoS0dGbWZBQ2QzTUVwRE55T3hmWXh0UVBwM1NZT2IxRGFKMmUwY01Gc081bytORGQ5aFVBVzFoCjFLMjMwQnZzYldYYVo4MStIdTU4U1BsYTM5R3FMTG85MzR6dEs4WkRWNFRGTVJxMnNVQ1cxcWFidDh5ejd2RzAKSGV3dXdxelRwR1lTSFI1U0ZvMm45R0xKVUN4SnhxcDlOWVJjMlhUdXRUdkJESzVPMXFZZEJaQzd6cmcxSnczawp2SjI4UGx2TzBQRE42ZVlUdElJdC9yU05ZbW56eVVNRTRYREt0di9KRitLZWZNSWxDTkpzZDRHYXVTdlo5M1NOClhINmcrNEZvRkp4UzNxRmZ0WEc4czNRNnppNzNLRzh5UHZVNHU0WmZNRGd2aG92L0V5YkNLWUpFdVVZSlJWNGEKbmc3cWh3NDBabXQ0eWNCRzU5a2tFSGhNYWtxTWpPaUNkV2x4MEVjZXIxcEFGT1pqN3o1NktURXIxa0ZwUHVaRApjVER5SnNwTjh6dm9CQ0l1ancvQjR6S3kyWStOQitRR1p3dXhyTk9mRGR6ek9yQUE1Ym9OS2gwUUh4c0RxNTExClFaU3hCR21EcGJzN2QzMUQvQll3WEhIUWdwb3FoVUU5dFBGSThpN0pkM2FyeXZCdHlnTWlxSmt1VlRFVk1Ta0UKNTZ0VnFsMjlXenFhRXNrbDN3VUlmczVKKzN3RzRPcWNxRDdXaGQxWUtnc0VUMjdFTWlqVXZIYzQ4TXE0bU1rPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==", * }); * ``` * * ## Import * * OVHcloud Managed Kubernetes Service cluster OIDC can be imported using the tenant `service_name` and cluster id `kube_id` separated by "/" E.g., * * bash * * ```sh * $ pulumi import ovh:CloudProject/kubeOidc:KubeOidc my-oidc service_name/kube_id * ``` */ export declare class KubeOidc extends pulumi.CustomResource { /** * Get an existing KubeOidc resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: KubeOidcState, opts?: pulumi.CustomResourceOptions): KubeOidc; /** * Returns true if the given object is an instance of KubeOidc. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is KubeOidc; /** * The OIDC client ID. */ readonly clientId: pulumi.Output; /** * The OIDC issuer url. */ readonly issuerUrl: pulumi.Output; /** * The ID of the managed kubernetes cluster. **Changing this value recreates the resource.** */ readonly kubeId: pulumi.Output; /** * Content of the certificate for the CA, in Base64 format, that signed your identity provider's web certificate. Defaults to the host's root CAs. */ readonly oidcCaContent: pulumi.Output; /** * Array of JWT claim to use as the user's group. If the claim is present it must be an array of strings. */ readonly oidcGroupsClaims: pulumi.Output; /** * Prefix prepended to group claims to prevent clashes with existing names (such as `system:groups`). For example, the value `oidc:` will create group names like `oidc:engineering` and `oidc:infra`. */ readonly oidcGroupsPrefix: pulumi.Output; /** * Array of `key=value` pairs that describe required claims in the ID Token. If set, the claims are verified to be present in the ID Token with a matching value." */ readonly oidcRequiredClaims: pulumi.Output; /** * Array of signing algorithms accepted. Default is `RS256`. */ readonly oidcSigningAlgs: pulumi.Output; /** * JWT claim to use as the username. By default, sub, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as email or name, depending on their provider. However, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins. */ readonly oidcUsernameClaim: pulumi.Output; /** * Prefix prepended to username claims to prevent clashes with existing names (such as `system:users`). For example, the value `oidc:` will create usernames like `oidc:jane.doe`. If this field isn't set and `oidcUsernameClaim` is a value other than email the prefix defaults to `issuerUrl` where `issuerUrl` is the value of `issuer_url.` The value - can be used to disable all prefixing. */ readonly oidcUsernamePrefix: pulumi.Output; /** * The ID of the public cloud project. If omitted, the `OVH_CLOUD_PROJECT_SERVICE` environment variable is used. **Changing this value recreates the resource.** */ readonly serviceName: pulumi.Output; /** * Create a KubeOidc resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KubeOidcArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering KubeOidc resources. */ export interface KubeOidcState { /** * The OIDC client ID. */ clientId?: pulumi.Input; /** * The OIDC issuer url. */ issuerUrl?: pulumi.Input; /** * The ID of the managed kubernetes cluster. **Changing this value recreates the resource.** */ kubeId?: pulumi.Input; /** * Content of the certificate for the CA, in Base64 format, that signed your identity provider's web certificate. Defaults to the host's root CAs. */ oidcCaContent?: pulumi.Input; /** * Array of JWT claim to use as the user's group. If the claim is present it must be an array of strings. */ oidcGroupsClaims?: pulumi.Input[]>; /** * Prefix prepended to group claims to prevent clashes with existing names (such as `system:groups`). For example, the value `oidc:` will create group names like `oidc:engineering` and `oidc:infra`. */ oidcGroupsPrefix?: pulumi.Input; /** * Array of `key=value` pairs that describe required claims in the ID Token. If set, the claims are verified to be present in the ID Token with a matching value." */ oidcRequiredClaims?: pulumi.Input[]>; /** * Array of signing algorithms accepted. Default is `RS256`. */ oidcSigningAlgs?: pulumi.Input[]>; /** * JWT claim to use as the username. By default, sub, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as email or name, depending on their provider. However, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins. */ oidcUsernameClaim?: pulumi.Input; /** * Prefix prepended to username claims to prevent clashes with existing names (such as `system:users`). For example, the value `oidc:` will create usernames like `oidc:jane.doe`. If this field isn't set and `oidcUsernameClaim` is a value other than email the prefix defaults to `issuerUrl` where `issuerUrl` is the value of `issuer_url.` The value - can be used to disable all prefixing. */ oidcUsernamePrefix?: pulumi.Input; /** * The ID of the public cloud project. If omitted, the `OVH_CLOUD_PROJECT_SERVICE` environment variable is used. **Changing this value recreates the resource.** */ serviceName?: pulumi.Input; } /** * The set of arguments for constructing a KubeOidc resource. */ export interface KubeOidcArgs { /** * The OIDC client ID. */ clientId: pulumi.Input; /** * The OIDC issuer url. */ issuerUrl: pulumi.Input; /** * The ID of the managed kubernetes cluster. **Changing this value recreates the resource.** */ kubeId: pulumi.Input; /** * Content of the certificate for the CA, in Base64 format, that signed your identity provider's web certificate. Defaults to the host's root CAs. */ oidcCaContent?: pulumi.Input; /** * Array of JWT claim to use as the user's group. If the claim is present it must be an array of strings. */ oidcGroupsClaims?: pulumi.Input[]>; /** * Prefix prepended to group claims to prevent clashes with existing names (such as `system:groups`). For example, the value `oidc:` will create group names like `oidc:engineering` and `oidc:infra`. */ oidcGroupsPrefix?: pulumi.Input; /** * Array of `key=value` pairs that describe required claims in the ID Token. If set, the claims are verified to be present in the ID Token with a matching value." */ oidcRequiredClaims?: pulumi.Input[]>; /** * Array of signing algorithms accepted. Default is `RS256`. */ oidcSigningAlgs?: pulumi.Input[]>; /** * JWT claim to use as the username. By default, sub, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as email or name, depending on their provider. However, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins. */ oidcUsernameClaim?: pulumi.Input; /** * Prefix prepended to username claims to prevent clashes with existing names (such as `system:users`). For example, the value `oidc:` will create usernames like `oidc:jane.doe`. If this field isn't set and `oidcUsernameClaim` is a value other than email the prefix defaults to `issuerUrl` where `issuerUrl` is the value of `issuer_url.` The value - can be used to disable all prefixing. */ oidcUsernamePrefix?: pulumi.Input; /** * The ID of the public cloud project. If omitted, the `OVH_CLOUD_PROJECT_SERVICE` environment variable is used. **Changing this value recreates the resource.** */ serviceName?: pulumi.Input; }