From fcb97da7fa0cf2cf294e353c985c845303ce14d3 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 16 Jan 2026 16:54:57 +0000 Subject: [PATCH 1/7] make multiline comments for oidc one line for better crd gen --- config/v1/types_authentication.go | 177 +++++++++++------------------- 1 file changed, 62 insertions(+), 115 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index e300d4eabc5..534b1cbfe03 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -199,10 +199,8 @@ const ( ) type OIDCProvider struct { - // name is a required field that configures the unique human-readable identifier - // associated with the identity provider. - // It is used to distinguish between multiple identity providers - // and has no impact on token validation or authentication mechanics. + // name is a required field that configures the unique human-readable identifier associated with the identity provider. + // It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. // // name must not be an empty string (""). // @@ -210,15 +208,12 @@ type OIDCProvider struct { // +required Name string `json:"name"` - // issuer is a required field that configures how the platform interacts - // with the identity provider and how tokens issued from the identity provider - // are evaluated by the Kubernetes API server. + // issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server. // // +required Issuer TokenIssuer `json:"issuer"` - // oidcClients is an optional field that configures how on-cluster, - // platform clients should request tokens from the identity provider. + // oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. // oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. // // +listType=map @@ -228,16 +223,12 @@ type OIDCProvider struct { // +optional OIDCClients []OIDCClientConfig `json:"oidcClients"` - // claimMappings is a required field that configures the rules to be used by - // the Kubernetes API server for translating claims in a JWT token, issued - // by the identity provider, to a cluster identity. + // claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity. // // +required ClaimMappings TokenClaimMappings `json:"claimMappings"` - // claimValidationRules is an optional field that configures the rules to - // be used by the Kubernetes API server for validating the claims in a JWT - // token issued by the identity provider. + // claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. // // Validation rules are joined via an AND operation. // @@ -245,9 +236,7 @@ type OIDCProvider struct { // +optional ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` - // userValidationRules is an optional field that configures the set of rules - // used to validate the cluster user identity that was constructed via - // mapping token claims to user identity attributes. + // userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. // Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. // If any rule in the chain of rules evaluates to 'false', authentication will fail. // When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -266,10 +255,8 @@ type TokenAudience string // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL" type TokenIssuer struct { - // issuerURL is a required field that configures the URL used to issue tokens - // by the identity provider. - // The Kubernetes API server determines how authentication tokens should be handled - // by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + // issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + // The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. // // Must be at least 1 character and must not exceed 512 characters in length. // Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -284,8 +271,7 @@ type TokenIssuer struct { // +required URL string `json:"issuerURL"` - // audiences is a required field that configures the acceptable audiences - // the JWT token, issued by the identity provider, must be issued to. + // audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. // At least one of the entries must match the 'aud' claim in the JWT token. // // audiences must contain at least one entry and must not exceed ten entries. @@ -296,24 +282,17 @@ type TokenIssuer struct { // +required Audiences []TokenAudience `json:"audiences"` - // issuerCertificateAuthority is an optional field that configures the - // certificate authority, used by the Kubernetes API server, to validate - // the connection to the identity provider when fetching discovery information. + // issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. // // When not specified, the system trust is used. // - // When specified, it must reference a ConfigMap in the openshift-config - // namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - // key in the data field of the ConfigMap. + // When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` - // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - // used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - // as "{issuerURL}/.well-known/openid-configuration". + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". // - // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - // parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). // The discoveryURL value must be at least 1 character long and no longer than 2048 characters. // // +optional @@ -329,39 +308,36 @@ type TokenIssuer struct { } type TokenClaimMappings struct { - // username is a required field that configures how the username of a cluster identity - // should be constructed from the claims in a JWT token issued by the identity provider. + // username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. // // +required Username UsernameClaimMapping `json:"username"` - // groups is an optional field that configures how the groups of a cluster identity - // should be constructed from the claims in a JWT token issued - // by the identity provider. - // When referencing a claim, if the claim is present in the JWT - // token, its value must be a list of groups separated by a comma (','). + // groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + // + // When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + // // For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. // // +optional Groups PrefixedClaimMapping `json:"groups,omitempty"` - // uid is an optional field for configuring the claim mapping - // used to construct the uid for the cluster identity. + // uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. // // When using uid.claim to specify the claim it must be a single string value. // When using uid.expression the expression must result in a single string value. // - // When omitted, this means the user has no opinion and the platform - // is left to choose a default, which is subject to change over time. + // When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + // // The current default is to use the 'sub' claim. // // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"` - // extra is an optional field for configuring the mappings - // used to construct the extra attribute for the cluster identity. + // extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. // When omitted, no extra attributes will be present on the cluster identity. + // // key values for extra mappings must be unique. // A maximum of 32 extra attribute mappings may be provided. // @@ -493,8 +469,8 @@ type ExtraMapping struct { // interact with identity providers as an authentication // method type OIDCClientConfig struct { - // componentName is a required field that specifies the name of the platform - // component being configured to use the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + // // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -504,9 +480,8 @@ type OIDCClientConfig struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component being configured to use the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -516,11 +491,8 @@ type OIDCClientConfig struct { // +required ComponentNamespace string `json:"componentNamespace"` - // clientID is a required field that configures the client identifier, from - // the identity provider, that the platform component uses for authentication - // requests made to the identity provider. - // The identity provider must accept this identifier for platform components - // to be able to use the identity provider as an authentication mode. + // clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + // The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. // // clientID must not be an empty string (""). // @@ -528,27 +500,21 @@ type OIDCClientConfig struct { // +required ClientID string `json:"clientID"` - // clientSecret is an optional field that configures the client secret used - // by the platform component when making authentication requests to the identity provider. + // clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + // + // When not specified, no client secret will be used when making authentication requests to the identity provider. // - // When not specified, no client secret will be used when making authentication requests - // to the identity provider. + // When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // - // When specified, clientSecret references a Secret in the 'openshift-config' - // namespace that contains the client secret in the 'clientSecret' key of the '.data' field. // The client secret will be used when making authentication requests to the identity provider. // - // Public clients do not require a client secret but private - // clients do require a client secret to work with the identity provider. + // Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. // // +optional ClientSecret SecretNameReference `json:"clientSecret"` - // extraScopes is an optional field that configures the extra scopes that should - // be requested by the platform component when making authentication requests to the - // identity provider. - // This is useful if you have configured claim mappings that requires specific - // scopes to be requested beyond the standard OIDC scopes. + // extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + // This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. // // When omitted, no additional scopes are requested. // @@ -561,8 +527,7 @@ type OIDCClientConfig struct { // of platform components and how they interact with // the configured identity providers. type OIDCClientStatus struct { - // componentName is a required field that specifies the name of the platform - // component using the identity provider as an authentication mode. + // componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. // It is used in combination with componentNamespace as a unique identifier. // // componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -572,9 +537,8 @@ type OIDCClientStatus struct { // +required ComponentName string `json:"componentName"` - // componentNamespace is a required field that specifies the namespace in which the - // platform component using the identity provider as an authentication - // mode is running. + // componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + // // It is used in combination with componentName as a unique identifier. // // componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -585,6 +549,7 @@ type OIDCClientStatus struct { ComponentNamespace string `json:"componentNamespace"` // currentOIDCClients is an optional list of clients that the component is currently using. + // // Entries must have unique issuerURL/clientID pairs. // // +listType=map @@ -593,8 +558,7 @@ type OIDCClientStatus struct { // +optional CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"` - // consumingUsers is an optional list of ServiceAccounts requiring - // read permissions on the `clientSecret` secret. + // consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. // // consumingUsers must not exceed 5 entries. // @@ -620,8 +584,7 @@ type OIDCClientStatus struct { // OIDCClientReference is a reference to a platform component // client configuration. type OIDCClientReference struct { - // oidcProviderName is a required reference to the 'name' of the identity provider - // configured in 'oidcProviders' that this client is associated with. + // oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. // // oidcProviderName must not be an empty string (""). // @@ -629,8 +592,7 @@ type OIDCClientReference struct { // +required OIDCProviderName string `json:"oidcProviderName"` - // issuerURL is a required field that specifies the URL of the identity - // provider that this client is configured to make requests against. + // issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. // // issuerURL must use the 'https' scheme. // @@ -638,9 +600,7 @@ type OIDCClientReference struct { // +required IssuerURL string `json:"issuerURL"` - // clientID is a required field that specifies the client identifier, from - // the identity provider, that the platform component is using for authentication - // requests made to the identity provider. + // clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. // // clientID must not be empty. // @@ -652,9 +612,7 @@ type OIDCClientReference struct { // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" // +union type UsernameClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // claim must not be an empty string ("") and must not exceed 256 characters. // @@ -663,23 +621,21 @@ type UsernameClaimMapping struct { // +kubebuilder:validation:MaxLength:=256 Claim string `json:"claim"` - // prefixPolicy is an optional field that configures how a prefix should be - // applied to the value of the JWT claim specified in the 'claim' field. + // prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. // // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). // - // When set to 'Prefix', the value specified in the prefix field will be - // prepended to the value of the JWT claim. + // When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + // // The prefix field must be set when prefixPolicy is 'Prefix'. // - // When set to 'NoPrefix', no prefix will be prepended to the value - // of the JWT claim. + // When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + // + // When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. // - // When omitted, this means no opinion and the platform is left to choose - // any prefixes that are applied which is subject to change over time. - // Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - // when the claim is not 'email'. // As an example, consider the following scenario: + // // `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", // and `claim` is set to: @@ -691,8 +647,7 @@ type UsernameClaimMapping struct { // +unionDiscriminator PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"` - // prefix configures the prefix that should be prepended to the value - // of the JWT claim. + // prefix configures the prefix that should be prepended to the value of the JWT claim. // // prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. // @@ -701,9 +656,7 @@ type UsernameClaimMapping struct { Prefix *UsernamePrefix `json:"prefix"` } -// UsernamePrefixPolicy configures how prefixes should be applied -// to values extracted from the JWT claims during the process of mapping -// JWT claims to cluster identity attributes. +// UsernamePrefixPolicy configures how prefixes should be applied to values extracted from the JWT claims during the process of mapping JWT claims to cluster identity attributes. // +enum type UsernamePrefixPolicy string @@ -780,19 +733,14 @@ type TokenClaimValidationRule struct { // // Allowed values are "RequiredClaim" and "CEL". // - // When set to 'RequiredClaim', the Kubernetes API server will be configured - // to validate that the incoming JWT contains the required claim and that its - // value matches the required value. + // When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. // - // When set to 'CEL', the Kubernetes API server will be configured - // to validate the incoming JWT against the configured CEL expression. + // When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. // +required Type TokenValidationRuleType `json:"type"` // requiredClaim allows configuring a required claim name and its expected value. - // This field is required when `type` is set to RequiredClaim, and must be omitted - // when `type` is set to any other value. The Kubernetes API server uses this field - // to validate if an incoming JWT is valid for this identity provider. + // This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. // // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` @@ -848,8 +796,8 @@ type TokenClaimValidationCELRule struct { // TokenUserValidationRule provides a CEL-based rule used to validate a token subject. // Each rule contains a CEL expression that is evaluated against the token’s claims. type TokenUserValidationRule struct { - // expression is a required CEL expression that performs a validation - // on cluster user identity attributes like username, groups, etc. + // expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + // // The expression must evaluate to a boolean value. // When the expression evaluates to 'true', the cluster user identity is considered valid. // When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -859,8 +807,7 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 Expression string `json:"expression,omitempty"` - // message is a required human-readable message to be logged by the Kubernetes API server - // if the CEL expression defined in 'expression' fails. + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. // message must be at least 1 character in length and must not exceed 256 characters. // +required // +kubebuilder:validation:MinLength=1 From 4a7905143c671eb9353f406106a03f6a674d40d5 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Mon, 19 Jan 2026 09:26:22 +0000 Subject: [PATCH 2/7] update codegen --- ...1_authentications-CustomNoUpgrade.crd.yaml | 185 +++++++----------- ...erator_01_authentications-Default.crd.yaml | 167 ++++++---------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 185 +++++++----------- ...g-operator_01_authentications-OKD.crd.yaml | 167 ++++++---------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 185 +++++++----------- .../ExternalOIDC.yaml | 156 ++++++--------- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 167 ++++++---------- .../ExternalOIDCWithUpstreamParity.yaml | 152 ++++++-------- .../v1/zz_generated.swagger_doc_generated.go | 22 +-- .../generated_openapi/zz_generated.openapi.go | 22 +-- 10 files changed, 540 insertions(+), 868 deletions(-) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 7476fd46552..2f2cf94925d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index 5d93d98cc1b..feedd9fd6c6 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +348,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -388,12 +378,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +395,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +415,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +430,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,18 +455,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -496,29 +473,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +500,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +510,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +520,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -704,8 +671,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +680,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +758,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +774,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +783,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 1a6afefa6a3..0fc75effce1 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index 5233cc52fa1..aed5298c33d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +348,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -388,12 +378,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +395,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +415,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +430,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,18 +455,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -496,29 +473,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +500,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +510,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +520,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -704,8 +671,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +680,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +758,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +774,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +783,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 60698312ae3..d569f63979e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 393cf694835..dc073d48dc4 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -79,18 +79,17 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -115,15 +114,14 @@ spec: - claim type: object username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -131,8 +129,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -150,23 +147,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -191,9 +186,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -205,9 +198,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -237,12 +228,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -257,15 +245,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -278,15 +265,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -297,10 +280,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -324,18 +305,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -345,29 +323,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -378,8 +350,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -388,9 +360,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -399,11 +370,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -553,8 +521,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -563,9 +530,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -642,8 +608,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -659,6 +624,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -667,25 +633,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 57065dbe14d..5f3efa0392d 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +348,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -388,12 +378,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +395,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +415,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +430,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,18 +455,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -496,29 +473,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +500,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +510,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +520,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -704,8 +671,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +680,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +758,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +774,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +783,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 645075f843e..f2833ca7d3f 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -79,18 +79,17 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -115,15 +114,14 @@ spec: - claim type: object username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -131,8 +129,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -150,23 +147,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -191,9 +186,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -230,9 +223,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -262,12 +253,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -287,15 +275,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -308,12 +295,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -331,15 +315,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -350,10 +330,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -382,18 +360,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -403,29 +378,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -436,8 +405,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -446,9 +415,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -457,11 +425,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -481,9 +446,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -494,8 +457,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -505,8 +468,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index e7bc0aebb33..9bfdd83ea2a 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -408,10 +408,10 @@ func (ExtraMapping) SwaggerDoc() map[string]string { var map_OIDCClientConfig = map[string]string{ "": "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method", - "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "componentName": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "clientID": "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").", - "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "clientSecret": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", "extraScopes": "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.", } @@ -433,8 +433,8 @@ func (OIDCClientReference) SwaggerDoc() map[string]string { var map_OIDCClientStatus = map[string]string{ "": "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.", "componentName": "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", - "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", - "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", "consumingUsers": "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.", "conditions": "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.", } @@ -476,9 +476,9 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string { var map_TokenClaimMappings = map[string]string{ "username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.", - "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", - "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", - "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "groups": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "uid": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", + "extra": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", } func (TokenClaimMappings) SwaggerDoc() map[string]string { @@ -519,7 +519,7 @@ var map_TokenIssuer = map[string]string{ "issuerURL": "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.", "audiences": "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.", "issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.", - "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", + "discoveryURL": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", } func (TokenIssuer) SwaggerDoc() map[string]string { @@ -537,7 +537,7 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string { var map_TokenUserValidationRule = map[string]string{ "": "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.", - "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + "expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", "message": "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.", } @@ -547,7 +547,7 @@ func (TokenUserValidationRule) SwaggerDoc() map[string]string { var map_UsernameClaimMapping = map[string]string{ "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index f29c06e82fb..2efea30732a 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -17860,7 +17860,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac Properties: map[string]spec.Schema{ "componentName": { SchemaProps: spec.SchemaProps{ - Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + Description: "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17868,7 +17868,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17884,7 +17884,7 @@ func schema_openshift_api_config_v1_OIDCClientConfig(ref common.ReferenceCallbac }, "clientSecret": { SchemaProps: spec.SchemaProps{ - Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + Description: "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.SecretNameReference"), }, @@ -17973,7 +17973,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, "componentNamespace": { SchemaProps: spec.SchemaProps{ - Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + Description: "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -17990,7 +17990,7 @@ func schema_openshift_api_config_v1_OIDCClientStatus(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + Description: "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -21130,14 +21130,14 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, "groups": { SchemaProps: spec.SchemaProps{ - Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + Description: "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", Default: map[string]interface{}{}, Ref: ref("github.com/openshift/api/config/v1.PrefixedClaimMapping"), }, }, "uid": { SchemaProps: spec.SchemaProps{ - Description: "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + Description: "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", Ref: ref("github.com/openshift/api/config/v1.TokenClaimOrExpressionMapping"), }, }, @@ -21151,7 +21151,7 @@ func schema_openshift_api_config_v1_TokenClaimMappings(ref common.ReferenceCallb }, }, SchemaProps: spec.SchemaProps{ - Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + Description: "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -21342,7 +21342,7 @@ func schema_openshift_api_config_v1_TokenIssuer(ref common.ReferenceCallback) co }, "discoveryURL": { SchemaProps: spec.SchemaProps{ - Description: "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", + Description: "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", Type: []string{"string"}, Format: "", }, @@ -21394,7 +21394,7 @@ func schema_openshift_api_config_v1_TokenUserValidationRule(ref common.Reference Properties: map[string]spec.Schema{ "expression": { SchemaProps: spec.SchemaProps{ - Description: "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + Description: "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", Type: []string{"string"}, Format: "", }, @@ -21565,7 +21565,7 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal }, "prefixPolicy": { SchemaProps: spec.SchemaProps{ - Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", Default: "", Type: []string{"string"}, Format: "", From 994b8ecee65b348c935d9d6e08813f6b819f140b Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Mon, 19 Jan 2026 10:51:07 +0000 Subject: [PATCH 3/7] update codegen crds --- openapi/openapi.json | 106 +++++++--- ...1_authentications-CustomNoUpgrade.crd.yaml | 185 +++++++----------- ...erator_01_authentications-Default.crd.yaml | 167 ++++++---------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 185 +++++++----------- ...g-operator_01_authentications-OKD.crd.yaml | 167 ++++++---------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 185 +++++++----------- 6 files changed, 420 insertions(+), 575 deletions(-) diff --git a/openapi/openapi.json b/openapi/openapi.json index 97afd57f431..73835e711ba 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4572,6 +4572,19 @@ } } }, + "com.github.openshift.api.config.v1.AcceptRisk": { + "description": "AcceptRisk represents a risk that is considered acceptable.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.AdmissionConfig": { "type": "object", "properties": { @@ -5859,6 +5872,18 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus" }, + "conditionalUpdateRisks": { + "description": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConditionalUpdateRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "conditionalUpdates": { "description": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", "type": "array", @@ -6066,6 +6091,15 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.Release" }, + "riskNames": { + "description": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "risks": { "description": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "type": "array", @@ -6092,6 +6126,18 @@ "matchingRules" ], "properties": { + "conditions": { + "description": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, "matchingRules": { "description": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.", "type": "array", @@ -6302,7 +6348,7 @@ "x-kubernetes-list-type": "atomic" }, "minTLSVersion": { - "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", "default": "" } @@ -8488,7 +8534,7 @@ } }, "com.github.openshift.api.config.v1.IntermediateTLSProfile": { - "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "description": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, "com.github.openshift.api.config.v1.KMSConfig": { @@ -8766,7 +8812,7 @@ } }, "com.github.openshift.api.config.v1.ModernTLSProfile": { - "description": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "description": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, "com.github.openshift.api.config.v1.NamedCertificate": { @@ -9501,17 +9547,17 @@ "default": "" }, "clientSecret": { - "description": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", + "description": "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.SecretNameReference" }, "componentName": { - "description": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", + "description": "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.", "type": "string", "default": "" }, "componentNamespace": { - "description": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "description": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "type": "string", "default": "" }, @@ -9566,7 +9612,7 @@ "default": "" }, "componentNamespace": { - "description": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", + "description": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.", "type": "string", "default": "" }, @@ -9592,7 +9638,7 @@ "x-kubernetes-list-type": "set" }, "currentOIDCClients": { - "description": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.", + "description": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.", "type": "array", "items": { "default": {}, @@ -9696,7 +9742,7 @@ } }, "com.github.openshift.api.config.v1.OldTLSProfile": { - "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "description": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, "com.github.openshift.api.config.v1.OpenIDClaims": { @@ -11274,7 +11320,7 @@ "x-kubernetes-list-type": "atomic" }, "minTLSVersion": { - "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", "default": "" } @@ -11285,23 +11331,23 @@ "type": "object", "properties": { "custom": { - "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { - "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", + "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", "type": "string", "default": "" } @@ -11416,7 +11462,7 @@ ], "properties": { "extra": { - "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", + "description": "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.", "type": "array", "items": { "default": {}, @@ -11428,12 +11474,12 @@ "x-kubernetes-list-type": "map" }, "groups": { - "description": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", + "description": "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.PrefixedClaimMapping" }, "uid": { - "description": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.", + "description": "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TokenClaimOrExpressionMapping" }, "username": { @@ -11534,7 +11580,7 @@ "x-kubernetes-list-type": "set" }, "discoveryURL": { - "description": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", + "description": "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.", "type": "string" }, "issuerCertificateAuthority": { @@ -11577,7 +11623,7 @@ ], "properties": { "expression": { - "description": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", + "description": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.", "type": "string" }, "message": { @@ -11590,6 +11636,18 @@ "description": "Update represents an administrator update request.", "type": "object", "properties": { + "acceptRisks": { + "description": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.AcceptRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "architecture": { "description": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", "type": "string", @@ -11624,7 +11682,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { @@ -11673,7 +11731,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernamePrefix" }, "prefixPolicy": { - "description": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", + "description": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "type": "string", "default": "" } @@ -28898,7 +28956,7 @@ ], "properties": { "name": { - "description": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.", + "description": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.", "type": "string", "default": "" }, @@ -29547,7 +29605,7 @@ "type": "string" }, "capabilities": { - "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", + "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.", "type": "array", "items": { "default": {}, diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 7476fd46552..2f2cf94925d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index 5d93d98cc1b..feedd9fd6c6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +348,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -388,12 +378,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +395,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +415,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +430,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,18 +455,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -496,29 +473,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +500,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +510,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +520,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -704,8 +671,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +680,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +758,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +774,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +783,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 1a6afefa6a3..0fc75effce1 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index 5233cc52fa1..aed5298c33d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -356,9 +348,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -388,12 +378,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim type: string @@ -408,15 +395,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -429,15 +415,11 @@ spec: x-kubernetes-list-type: set issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -448,10 +430,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -475,18 +455,15 @@ spec: type: object name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -496,29 +473,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -529,8 +500,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -539,9 +510,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -550,11 +520,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -704,8 +671,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -714,9 +680,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -793,8 +758,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -810,6 +774,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -818,25 +783,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 60698312ae3..d569f63979e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -79,16 +79,16 @@ spec: items: properties: claimMappings: - description: |- - claimMappings is a required field that configures the rules to be used by - the Kubernetes API server for translating claims in a JWT token, issued - by the identity provider, to a cluster identity. + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. properties: extra: description: |- - extra is an optional field for configuring the mappings - used to construct the extra attribute for the cluster identity. + extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. + key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: @@ -187,11 +187,10 @@ spec: x-kubernetes-list-type: map groups: description: |- - groups is an optional field that configures how the groups of a cluster identity - should be constructed from the claims in a JWT token issued - by the identity provider. - When referencing a claim, if the claim is present in the JWT - token, its value must be a list of groups separated by a comma (','). + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: @@ -217,14 +216,13 @@ spec: type: object uid: description: |- - uid is an optional field for configuring the claim mapping - used to construct the uid for the cluster identity. + uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. When using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value. - When omitted, this means the user has no opinion and the platform - is left to choose a default, which is subject to change over time. + When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. + The current default is to use the 'sub' claim. properties: claim: @@ -266,15 +264,14 @@ spec: set rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' username: - description: |- - username is a required field that configures how the username of a cluster identity - should be constructed from the claims in a JWT token issued by the identity provider. + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. properties: claim: description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -282,8 +279,7 @@ spec: type: string prefix: description: |- - prefix configures the prefix that should be prepended to the value - of the JWT claim. + prefix configures the prefix that should be prepended to the value of the JWT claim. prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. properties: @@ -301,23 +297,21 @@ spec: type: object prefixPolicy: description: |- - prefixPolicy is an optional field that configures how a prefix should be - applied to the value of the JWT claim specified in the 'claim' field. + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - When set to 'Prefix', the value specified in the prefix field will be - prepended to the value of the JWT claim. + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. - When set to 'NoPrefix', no prefix will be prepended to the value - of the JWT claim. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - When omitted, this means no opinion and the platform is left to choose - any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim - when the claim is not 'email'. As an example, consider the following scenario: + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", and `claim` is set to: @@ -342,9 +336,7 @@ spec: type: object claimValidationRules: description: |- - claimValidationRules is an optional field that configures the rules to - be used by the Kubernetes API server for validating the claims in a JWT - token issued by the identity provider. + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. Validation rules are joined via an AND operation. items: @@ -381,9 +373,7 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted - when `type` is set to any other value. The Kubernetes API server uses this field - to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -413,12 +403,9 @@ spec: Allowed values are "RequiredClaim" and "CEL". - When set to 'RequiredClaim', the Kubernetes API server will be configured - to validate that the incoming JWT contains the required claim and that its - value matches the required value. + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - When set to 'CEL', the Kubernetes API server will be configured - to validate the incoming JWT against the configured CEL expression. + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. enum: - RequiredClaim - CEL @@ -438,15 +425,14 @@ spec: type: array x-kubernetes-list-type: atomic issuer: - description: |- - issuer is a required field that configures how the platform interacts - with the identity provider and how tokens issued from the identity provider - are evaluated by the Kubernetes API server. + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. properties: audiences: description: |- - audiences is a required field that configures the acceptable audiences - the JWT token, issued by the identity provider, must be issued to. + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token. audiences must contain at least one entry and must not exceed ten entries. @@ -459,12 +445,9 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint - used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` - as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query - parameters, user information, or fragments. Additionally, it must differ from the value of `url` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 @@ -482,15 +465,11 @@ spec: rule: '!self.matches(''^https://.+:.+@.+/.*$'')' issuerCertificateAuthority: description: |- - issuerCertificateAuthority is an optional field that configures the - certificate authority, used by the Kubernetes API server, to validate - the connection to the identity provider when fetching discovery information. + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. When not specified, the system trust is used. - When specified, it must reference a ConfigMap in the openshift-config - namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' - key in the data field of the ConfigMap. + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. properties: name: description: name is the metadata.name of the referenced @@ -501,10 +480,8 @@ spec: type: object issuerURL: description: |- - issuerURL is a required field that configures the URL used to issue tokens - by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled - by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. Must be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. @@ -533,18 +510,15 @@ spec: : true' name: description: |- - name is a required field that configures the unique human-readable identifier - associated with the identity provider. - It is used to distinguish between multiple identity providers - and has no impact on token validation or authentication mechanics. + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. name must not be an empty string (""). minLength: 1 type: string oidcClients: description: |- - oidcClients is an optional field that configures how on-cluster, - platform clients should request tokens from the identity provider. + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. items: description: |- @@ -554,29 +528,23 @@ spec: properties: clientID: description: |- - clientID is a required field that configures the client identifier, from - the identity provider, that the platform component uses for authentication - requests made to the identity provider. - The identity provider must accept this identifier for platform components - to be able to use the identity provider as an authentication mode. + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. clientID must not be an empty string (""). minLength: 1 type: string clientSecret: description: |- - clientSecret is an optional field that configures the client secret used - by the platform component when making authentication requests to the identity provider. + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - When not specified, no client secret will be used when making authentication requests - to the identity provider. + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - When specified, clientSecret references a Secret in the 'openshift-config' - namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider. - Public clients do not require a client secret but private - clients do require a client secret to work with the identity provider. + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. properties: name: description: name is the metadata.name of the referenced @@ -587,8 +555,8 @@ spec: type: object componentName: description: |- - componentName is a required field that specifies the name of the platform - component being configured to use the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -597,9 +565,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component being configured to use the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -608,11 +575,8 @@ spec: type: string extraScopes: description: |- - extraScopes is an optional field that configures the extra scopes that should - be requested by the platform component when making authentication requests to the - identity provider. - This is useful if you have configured claim mappings that requires specific - scopes to be requested beyond the standard OIDC scopes. + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. When omitted, no additional scopes are requested. items: @@ -632,9 +596,7 @@ spec: x-kubernetes-list-type: map userValidationRules: description: |- - userValidationRules is an optional field that configures the set of rules - used to validate the cluster user identity that was constructed via - mapping token claims to user identity attributes. + userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified. @@ -645,8 +607,8 @@ spec: properties: expression: description: |- - expression is a required CEL expression that performs a validation - on cluster user identity attributes like username, groups, etc. + expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. + The expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. @@ -656,8 +618,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -804,8 +765,7 @@ spec: properties: componentName: description: |- - componentName is a required field that specifies the name of the platform - component using the identity provider as an authentication mode. + componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier. componentName must not be an empty string ("") and must not exceed 256 characters in length. @@ -814,9 +774,8 @@ spec: type: string componentNamespace: description: |- - componentNamespace is a required field that specifies the namespace in which the - platform component using the identity provider as an authentication - mode is running. + componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. + It is used in combination with componentName as a unique identifier. componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. @@ -893,8 +852,7 @@ spec: x-kubernetes-list-type: map consumingUsers: description: |- - consumingUsers is an optional list of ServiceAccounts requiring - read permissions on the `clientSecret` secret. + consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. consumingUsers must not exceed 5 entries. items: @@ -910,6 +868,7 @@ spec: currentOIDCClients: description: |- currentOIDCClients is an optional list of clients that the component is currently using. + Entries must have unique issuerURL/clientID pairs. items: description: |- @@ -918,25 +877,21 @@ spec: properties: clientID: description: |- - clientID is a required field that specifies the client identifier, from - the identity provider, that the platform component is using for authentication - requests made to the identity provider. + clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. clientID must not be empty. minLength: 1 type: string issuerURL: description: |- - issuerURL is a required field that specifies the URL of the identity - provider that this client is configured to make requests against. + issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. issuerURL must use the 'https' scheme. pattern: ^https:\/\/[^\s] type: string oidcProviderName: description: |- - oidcProviderName is a required reference to the 'name' of the identity provider - configured in 'oidcProviders' that this client is associated with. + oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. oidcProviderName must not be an empty string (""). minLength: 1 From bfc5f7f5294ea47c6770dd48ec07e57f6f05adb6 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Mon, 19 Jan 2026 16:34:03 +0000 Subject: [PATCH 4/7] add sentence break --- config/v1/types_authentication.go | 9 ++++++--- ...-operator_01_authentications-CustomNoUpgrade.crd.yaml | 9 ++++++--- ...0_config-operator_01_authentications-Default.crd.yaml | 3 ++- ...rator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 9 ++++++--- ...00_10_config-operator_01_authentications-OKD.crd.yaml | 3 ++- ...ator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 9 ++++++--- .../ExternalOIDC.yaml | 3 ++- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 3 ++- .../ExternalOIDCWithUpstreamParity.yaml | 9 ++++++--- ...-operator_01_authentications-CustomNoUpgrade.crd.yaml | 9 ++++++--- ...0_config-operator_01_authentications-Default.crd.yaml | 3 ++- ...rator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 9 ++++++--- ...00_10_config-operator_01_authentications-OKD.crd.yaml | 3 ++- ...ator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 9 ++++++--- 14 files changed, 60 insertions(+), 30 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 534b1cbfe03..9ca80b5a6e9 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -290,9 +290,11 @@ type TokenIssuer struct { // // +optional CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"` - // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + // discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + // By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". // - // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + // The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + // Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). // The discoveryURL value must be at least 1 character long and no longer than 2048 characters. // // +optional @@ -740,7 +742,8 @@ type TokenClaimValidationRule struct { Type TokenValidationRuleType `json:"type"` // requiredClaim allows configuring a required claim name and its expected value. - // This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + // This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + // The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. // // +optional RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"` diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 2f2cf94925d..bf794875440 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index feedd9fd6c6..638923dcd94 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -348,7 +348,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 0fc75effce1..a7e4ddf5100 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index aed5298c33d..a8d0d15e745 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -348,7 +348,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index d569f63979e..ccc6810cec5 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index dc073d48dc4..463de4ce580 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -198,7 +198,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 5f3efa0392d..cd78687bc05 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -348,7 +348,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index f2833ca7d3f..297d974043b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -223,7 +223,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -295,9 +296,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 2f2cf94925d..bf794875440 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index feedd9fd6c6..638923dcd94 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -348,7 +348,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 0fc75effce1..a7e4ddf5100 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index aed5298c33d..a8d0d15e745 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -348,7 +348,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index d569f63979e..ccc6810cec5 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -373,7 +373,8 @@ spec: requiredClaim: description: |- requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. properties: claim: description: |- @@ -445,9 +446,11 @@ spec: x-kubernetes-list-type: set discoveryURL: description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". + discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. + By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). + The discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. + Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters. maxLength: 2048 minLength: 1 From 6916ef43cce113c0cf7c57e74c852cc797cfb6dd Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Tue, 20 Jan 2026 11:20:26 +0000 Subject: [PATCH 5/7] update additional multiline comments + update crd --- config/v1/types_authentication.go | 78 ++++++------------- ...1_authentications-CustomNoUpgrade.crd.yaml | 77 +++++++----------- ...erator_01_authentications-Default.crd.yaml | 74 +++++++----------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 77 +++++++----------- ...g-operator_01_authentications-OKD.crd.yaml | 74 +++++++----------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 77 +++++++----------- .../ExternalOIDC.yaml | 34 +++----- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 74 +++++++----------- .../ExternalOIDCWithUpstreamParity.yaml | 31 +++----- ...1_authentications-CustomNoUpgrade.crd.yaml | 77 +++++++----------- ...erator_01_authentications-Default.crd.yaml | 74 +++++++----------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 77 +++++++----------- ...g-operator_01_authentications-OKD.crd.yaml | 74 +++++++----------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 77 +++++++----------- 14 files changed, 337 insertions(+), 638 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 9ca80b5a6e9..b3fcf63d1aa 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -80,8 +80,7 @@ type AuthenticationSpec struct { // +optional ServiceAccountIssuer string `json:"serviceAccountIssuer"` - // oidcProviders are OIDC identity providers that can issue tokens - // for this cluster + // oidcProviders are OIDC identity providers that can issue tokens for this cluster // Can only be set if "Type" is set to "OIDC". // // At most one provider can be configured. @@ -113,8 +112,7 @@ type AuthenticationStatus struct { // +optional IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"` - // oidcClients is where participating operators place the current OIDC client status - // for OIDC clients that can be customized by the cluster-admin. + // oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin. // // +listType=map // +listMapKey=componentNamespace @@ -146,8 +144,7 @@ type AuthenticationType string const ( // None means that no cluster managed authentication system is in place. - // Note that user login will only work if a manually configured system is in place and - // referenced in authentication spec via oauthMetadata and + // Note that user login will only work if a manually configured system is in place and referenced in authentication spec via oauthMetadata and // webhookTokenAuthenticator/oidcProviders AuthenticationTypeNone AuthenticationType = "None" @@ -351,52 +348,39 @@ type TokenClaimMappings struct { Extra []ExtraMapping `json:"extra,omitempty"` } -// TokenClaimMapping allows specifying a JWT token -// claim to be used when mapping claims from an -// authentication token to cluster identities. +// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities. type TokenClaimMapping struct { - // claim is a required field that configures the JWT token - // claim whose value is assigned to the cluster identity - // field associated with this mapping. + // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // +required Claim string `json:"claim"` } -// TokenClaimOrExpressionMapping allows specifying either a JWT -// token claim or CEL expression to be used when mapping claims -// from an authentication token to cluster identities. +// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities. // +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set" type TokenClaimOrExpressionMapping struct { - // claim is an optional field for specifying the - // JWT token claim that is used in the mapping. - // The value of this claim will be assigned to - // the field in which this mapping is associated. + // claim is an optional field for specifying the JWT token claim that is used in the mapping. + // The value of this claim will be assigned to the field in which this mapping is associated. // // Precisely one of claim or expression must be set. // claim must not be specified when expression is set. - // When specified, claim must be at least 1 character in length - // and must not exceed 256 characters in length. + // When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. // // +optional // +kubebuilder:validation:MaxLength=256 // +kubebuilder:validation:MinLength=1 Claim string `json:"claim,omitempty"` - // expression is an optional field for specifying a - // CEL expression that produces a string value from - // JWT token claims. + // expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). // // Precisely one of claim or expression must be set. // expression must not be specified when claim is set. - // When specified, expression must be at least 1 character in length - // and must not exceed 1024 characters in length. + // When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. // // +optional // +kubebuilder:validation:MaxLength=1024 @@ -404,13 +388,9 @@ type TokenClaimOrExpressionMapping struct { Expression string `json:"expression,omitempty"` } -// ExtraMapping allows specifying a key and CEL expression -// to evaluate the keys' value. It is used to create additional -// mappings and attributes added to a cluster identity from -// a provided authentication token. +// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. type ExtraMapping struct { - // key is a required field that specifies the string - // to use as the extra attribute key. + // key is a required field that specifies the string to use as the extra attribute key. // // key must be a domain-prefix path (e.g 'example.org/foo'). // key must not exceed 510 characters in length. @@ -423,8 +403,7 @@ type ExtraMapping struct { // It must only contain lower case alphanumeric characters and '-' or '.'. // It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". // - // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - // alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + // The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. // It must not exceed 256 characters in length. // // +required @@ -446,14 +425,12 @@ type ExtraMapping struct { // +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length" Key string `json:"key"` - // valueExpression is a required field to specify the CEL expression to extract - // the extra attribute value from a JWT token's claims. + // valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. // valueExpression must produce a string or string array value. // "", [], and null are treated as the extra mapping not being present. // Empty string values within an array are filtered out. // - // CEL expressions have access to the token claims - // through a CEL variable, 'claims'. + // CEL expressions have access to the token claims through a CEL variable, 'claims'. // 'claims' is a map of claim names to claim values. // For example, the 'sub' claim value can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -677,9 +654,7 @@ var ( // UsernamePrefix configures the string that should // be used as a prefix for username claim mappings. type UsernamePrefix struct { - // prefixString is a required field that configures the prefix that will - // be applied to cluster identity username attribute - // during the process of mapping JWT claims to cluster identity attributes. + // prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. // // prefixString must not be an empty string (""). // @@ -693,15 +668,11 @@ type UsernamePrefix struct { type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // prefix is an optional field that configures the prefix that will be - // applied to the cluster identity attribute during the process of mapping - // JWT claims to cluster identity attributes. + // prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. // // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - // an array of strings "a", "b" and "c", the mapping will result in an - // array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". // // +optional Prefix string `json:"prefix"` @@ -765,10 +736,8 @@ type TokenRequiredClaim struct { // +required Claim string `json:"claim"` - // requiredValue is a required field that configures the value that 'claim' must - // have when taken from the incoming JWT claims. - // If the value in the JWT claims does not match, the token - // will be rejected for authentication. + // requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + // If the value in the JWT claims does not match, the token will be rejected for authentication. // // requiredValue must not be an empty string (""). // @@ -787,8 +756,7 @@ type TokenClaimValidationCELRule struct { // +required Expression string `json:"expression,omitempty"` - // message is a required human-readable message to be logged by the Kubernetes API server - // if the CEL expression defined in 'expression' fails. + // message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. // message must be at least 1 character in length and must not exceed 256 characters. // +required // +kubebuilder:validation:MinLength=1 diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index bf794875440..72fe9ed235e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index 638923dcd94..1d2275431d6 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -361,10 +341,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -661,9 +639,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index a7e4ddf5100..9227be30b43 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index a8d0d15e745..f6a52d7606d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -361,10 +341,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -661,9 +639,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index ccc6810cec5..5df277bf4cc 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 463de4ce580..92081fff2c1 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -93,22 +92,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -135,9 +129,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -211,10 +203,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -511,9 +501,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index cd78687bc05..b8f5d7c057c 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -361,10 +341,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -661,9 +639,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 297d974043b..2af9aeadb5c 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -93,22 +92,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -135,9 +129,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -210,8 +202,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -236,10 +227,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index bf794875440..72fe9ed235e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index 638923dcd94..1d2275431d6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -361,10 +341,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -661,9 +639,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index a7e4ddf5100..9227be30b43 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index a8d0d15e745..f6a52d7606d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -361,10 +341,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -661,9 +639,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index ccc6810cec5..5df277bf4cc 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -71,8 +71,7 @@ spec: type: object oidcProviders: description: |- - oidcProviders are OIDC identity providers that can issue tokens - for this cluster + oidcProviders are OIDC identity providers that can issue tokens for this cluster Can only be set if "Type" is set to "OIDC". At most one provider can be configured. @@ -92,16 +91,14 @@ spec: key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided. items: - description: |- - ExtraMapping allows specifying a key and CEL expression - to evaluate the keys' value. It is used to create additional - mappings and attributes added to a cluster identity from - a provided authentication token. + description: ExtraMapping allows specifying a key and + CEL expression to evaluate the keys' value. It is used + to create additional mappings and attributes added to + a cluster identity from a provided authentication token. properties: key: description: |- - key is a required field that specifies the string - to use as the extra attribute key. + key is a required field that specifies the string to use as the extra attribute key. key must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. @@ -114,8 +111,7 @@ spec: It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one - alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. + The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length. maxLength: 510 minLength: 1 @@ -159,14 +155,12 @@ spec: rule: self.split('/', 2)[1].size() <= 256 valueExpression: description: |- - valueExpression is a required field to specify the CEL expression to extract - the extra attribute value from a JWT token's claims. + valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. valueExpression must produce a string or string array value. "", [], and null are treated as the extra mapping not being present. Empty string values within an array are filtered out. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). @@ -194,22 +188,17 @@ spec: For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. properties: claim: - description: |- - claim is a required field that configures the JWT token - claim whose value is assigned to the cluster identity - field associated with this mapping. + description: claim is a required field that configures + the JWT token claim whose value is assigned to the + cluster identity field associated with this mapping. type: string prefix: description: |- - prefix is an optional field that configures the prefix that will be - applied to the cluster identity attribute during the process of mapping - JWT claims to cluster identity attributes. + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim @@ -227,34 +216,27 @@ spec: properties: claim: description: |- - claim is an optional field for specifying the - JWT token claim that is used in the mapping. - The value of this claim will be assigned to - the field in which this mapping is associated. + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. Precisely one of claim or expression must be set. claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length - and must not exceed 256 characters in length. + When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. maxLength: 256 minLength: 1 type: string expression: description: |- - expression is an optional field for specifying a - CEL expression that produces a string value from - JWT token claims. + expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - CEL expressions have access to the token claims - through a CEL variable, 'claims'. + CEL expressions have access to the token claims through a CEL variable, 'claims'. 'claims' is a map of claim names to claim values. For example, the 'sub' claim value can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation ('claims.foo.bar'). Precisely one of claim or expression must be set. expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length - and must not exceed 1024 characters in length. + When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. maxLength: 1024 minLength: 1 type: string @@ -285,9 +267,7 @@ spec: properties: prefixString: description: |- - prefixString is a required field that configures the prefix that will - be applied to cluster identity username attribute - during the process of mapping JWT claims to cluster identity attributes. + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. prefixString must not be an empty string (""). minLength: 1 @@ -360,8 +340,7 @@ spec: type: string message: description: |- - message is a required human-readable message to be logged by the Kubernetes API server - if the CEL expression defined in 'expression' fails. + message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters. maxLength: 256 minLength: 1 @@ -386,10 +365,8 @@ spec: type: string requiredValue: description: |- - requiredValue is a required field that configures the value that 'claim' must - have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token - will be rejected for authentication. + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. requiredValue must not be an empty string (""). minLength: 1 @@ -757,9 +734,9 @@ spec: - name type: object oidcClients: - description: |- - oidcClients is where participating operators place the current OIDC client status - for OIDC clients that can be customized by the cluster-admin. + description: oidcClients is where participating operators place the + current OIDC client status for OIDC clients that can be customized + by the cluster-admin. items: description: |- OIDCClientStatus represents the current state From 1786bf6f9774257ab9ceb6b830655e48c9290406 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Tue, 20 Jan 2026 11:52:15 +0000 Subject: [PATCH 6/7] fix typo --- config/v1/types_authentication.go | 2 +- ..._config-operator_01_authentications-CustomNoUpgrade.crd.yaml | 2 +- .../0000_10_config-operator_01_authentications-Default.crd.yaml | 2 +- ...fig-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 2 +- .../0000_10_config-operator_01_authentications-OKD.crd.yaml | 2 +- ...ig-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 2 +- .../authentications.config.openshift.io/ExternalOIDC.yaml | 2 +- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 2 +- .../ExternalOIDCWithUpstreamParity.yaml | 2 +- config/v1/zz_generated.swagger_doc_generated.go | 2 +- openapi/generated_openapi/zz_generated.openapi.go | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index b3fcf63d1aa..d364672377a 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -672,7 +672,7 @@ type PrefixedClaimMapping struct { // // When omitted (""), no prefix is applied to the cluster identity attribute. // - // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + // Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". // // +optional Prefix string `json:"prefix"` diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 72fe9ed235e..e4a31f307e1 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index 1d2275431d6..c3c670c054e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 9227be30b43..9da25bffd06 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index f6a52d7606d..54836ff9a90 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 5df277bf4cc..ffd9a68ad7d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 92081fff2c1..e9847499d2d 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -102,7 +102,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index b8f5d7c057c..a92b08d6e91 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 2af9aeadb5c..1ee95b04147 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -102,7 +102,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 9bfdd83ea2a..02649a985d2 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -458,7 +458,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string { var map_PrefixedClaimMapping = map[string]string{ "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 2efea30732a..fbbec4271cf 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -19576,7 +19576,7 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal }, "prefix": { SchemaProps: spec.SchemaProps{ - Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", Default: "", Type: []string{"string"}, Format: "", From 8c649d634e8a33b62b25a2278a78343f55ffcf38 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Tue, 20 Jan 2026 12:10:36 +0000 Subject: [PATCH 7/7] add additional crds --- ..._config-operator_01_authentications-CustomNoUpgrade.crd.yaml | 2 +- .../0000_10_config-operator_01_authentications-Default.crd.yaml | 2 +- ...fig-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 2 +- .../0000_10_config-operator_01_authentications-OKD.crd.yaml | 2 +- ...ig-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 72fe9ed235e..e4a31f307e1 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index 1d2275431d6..c3c670c054e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 9227be30b43..9da25bffd06 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index f6a52d7606d..54836ff9a90 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 5df277bf4cc..ffd9a68ad7d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -198,7 +198,7 @@ spec: When omitted (""), no prefix is applied to the cluster identity attribute. - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". type: string required: - claim