diff --git a/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml b/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml index c75e8853..d8748c93 100644 --- a/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml +++ b/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml @@ -19,9 +19,12 @@ description: | passing a duration in seconds as a query parameter to `/v2/kubernetes/clusters/$K8S_CLUSTER_ID/kubeconfig?expiry_seconds=$DURATION_IN_SECONDS`. If not set or 0, then the token will have a 7 day expiry. The query parameter - has no impact in certificate-based authentication. + has no impact for other kubeconfig types. - Kubernetes Roles granted to a user with a token-based kubeconfig are derived from that user's + Using an `sso` kubeconfig type requires `doctl` to be installed to handle the client side + of the OAuth2 flow. + + Kubernetes Roles granted to a user are derived from that user's DigitalOcean role. Predefined roles (Owner, Member, Modifier etc.) have an automatic mapping to Kubernetes roles. Custom roles are not automatically mapped to any Kubernetes roles, and require [additional configuration](https://docs.digitalocean.com/products/kubernetes/how-to/set-up-custom-rolebindings/) @@ -33,6 +36,7 @@ tags: parameters: - $ref: 'parameters.yml#/kubernetes_cluster_id' - $ref: 'parameters.yml#/kubernetes_expiry_seconds' + - $ref: 'parameters.yml#/kubernetes_credentials_type' responses: '200': diff --git a/specification/resources/kubernetes/models/cluster.yml b/specification/resources/kubernetes/models/cluster.yml index 8290bdfa..36e21207 100644 --- a/specification/resources/kubernetes/models/cluster.yml +++ b/specification/resources/kubernetes/models/cluster.yml @@ -164,6 +164,9 @@ properties: cluster_autoscaler_configuration: $ref: "cluster_autoscaler_configuration.yml" + sso: + $ref: "sso.yml" + routing_agent: $ref: "routing_agent.yml" diff --git a/specification/resources/kubernetes/models/cluster_read.yml b/specification/resources/kubernetes/models/cluster_read.yml index 57025d44..26b47bc9 100644 --- a/specification/resources/kubernetes/models/cluster_read.yml +++ b/specification/resources/kubernetes/models/cluster_read.yml @@ -175,6 +175,9 @@ properties: cluster_autoscaler_configuration: $ref: "cluster_autoscaler_configuration.yml" + sso: + $ref: "sso.yml" + routing_agent: $ref: "routing_agent.yml" diff --git a/specification/resources/kubernetes/models/cluster_update.yml b/specification/resources/kubernetes/models/cluster_update.yml index 86a16a6b..29e7f264 100644 --- a/specification/resources/kubernetes/models/cluster_update.yml +++ b/specification/resources/kubernetes/models/cluster_update.yml @@ -53,6 +53,9 @@ properties: cluster_autoscaler_configuration: $ref: 'cluster_autoscaler_configuration.yml' + sso: + $ref: 'sso.yml' + routing_agent: $ref: 'routing_agent.yml' diff --git a/specification/resources/kubernetes/models/sso.yml b/specification/resources/kubernetes/models/sso.yml new file mode 100644 index 00000000..21e43866 --- /dev/null +++ b/specification/resources/kubernetes/models/sso.yml @@ -0,0 +1,33 @@ +type: object +nullable: true +description: An object specifying Single Sign-On (SSO) configuration for the Kubernetes cluster. +properties: + enabled: + type: boolean + default: false + description: Indicates whether SSO authentication is enabled for the cluster. + example: true + + required: + type: boolean + default: false + description: | + Indicates whether any non-SSO forms of authentication are disallowed. + Can only be set to `true` when `enabled` is + `true`. + example: false + + issuer_url: + type: string + format: uri + description: | + The OIDC issuer URL for the identity provider. Required when `enabled` is + `true`. + example: https://sso.example.com + + client_id: + type: string + description: | + The OIDC client ID registered with the identity provider. Required when + `enabled` is `true`. + example: doks-cluster-client diff --git a/specification/resources/kubernetes/parameters.yml b/specification/resources/kubernetes/parameters.yml index 7dd68411..2e5f7cb7 100644 --- a/specification/resources/kubernetes/parameters.yml +++ b/specification/resources/kubernetes/parameters.yml @@ -44,6 +44,20 @@ kubernetes_expiry_seconds: default: 0 example: 300 +kubernetes_credentials_type: + in: query + name: type + required: false + description: | + The type of credentials to return in the kubeconfig. When omitted, the + default credential type for the cluster is used: `sso` for clusters with SSO enabled, `token` for clusters without SSO enabled. + schema: + type: string + enum: + - token + - sso + example: sso + clusterlint_run_id: in: query name: run_id diff --git a/specification/resources/kubernetes/responses/examples.yml b/specification/resources/kubernetes/responses/examples.yml index d092979a..f3c395ab 100644 --- a/specification/resources/kubernetes/responses/examples.yml +++ b/specification/resources/kubernetes/responses/examples.yml @@ -112,6 +112,11 @@ kubernetes_clusters_all: expanders: - priority - random + sso: + enabled: true + required: false + issuer_url: https://sso.example.com + client_id: doks-cluster-client routing_agent: enabled: false amd_gpu_device_plugin: @@ -238,6 +243,11 @@ kubernetes_single: expanders: - priority - random + sso: + enabled: true + required: false + issuer_url: https://sso.example.com + client_id: doks-cluster-client routing_agent: enabled: false amd_gpu_device_plugin: @@ -362,6 +372,11 @@ kubernetes_updated: expanders: - priority - random + sso: + enabled: true + required: false + issuer_url: https://sso.example.com + client_id: doks-cluster-client routing_agent: enabled: false amd_gpu_device_plugin: @@ -451,6 +466,11 @@ kubernetes_clusters_create_basic_response: expanders: - priority - random + sso: + enabled: true + required: false + issuer_url: https://sso.example.com + client_id: doks-cluster-client routing_agent: enabled: false amd_gpu_device_plugin: