From a1dd1bf1b4ccc2ca3208f769ada48c2b6a95181c Mon Sep 17 00:00:00 2001
From: dkomsa <dkomsa@digitalocean.com>
Date: Tue, 19 May 2026 11:02:26 -0400
Subject: [PATCH] add DOKS SSO fields

---
 .../kubernetes/kubernetes_get_kubeconfig.yml  |  8 +++--
 .../resources/kubernetes/models/cluster.yml   |  3 ++
 .../kubernetes/models/cluster_read.yml        |  3 ++
 .../kubernetes/models/cluster_update.yml      |  3 ++
 .../resources/kubernetes/models/sso.yml       | 33 +++++++++++++++++++
 .../resources/kubernetes/parameters.yml       | 14 ++++++++
 .../kubernetes/responses/examples.yml         | 20 +++++++++++
 7 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 specification/resources/kubernetes/models/sso.yml

diff --git a/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml b/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml
index c75e8853b..d8748c93f 100644
--- a/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml
+++ b/specification/resources/kubernetes/kubernetes_get_kubeconfig.yml
@@ -19,9 +19,12 @@ description: |
   passing a duration in seconds as a query parameter to
   `/v2/kubernetes/clusters/$K8S_CLUSTER_ID/kubeconfig?expiry_seconds=$DURATION_IN_SECONDS`.
   If not set or 0, then the token will have a 7 day expiry. The query parameter
-  has no impact in certificate-based authentication.
+  has no impact for other kubeconfig types.
 
-  Kubernetes Roles granted to a user with a token-based kubeconfig are derived from that user's
+  Using an `sso` kubeconfig type requires `doctl` to be installed to handle the client side
+  of the OAuth2 flow.
+
+  Kubernetes Roles granted to a user are derived from that user's
   DigitalOcean role. Predefined roles (Owner, Member, Modifier etc.) have an automatic mapping
   to Kubernetes roles. Custom roles are not automatically mapped to any Kubernetes roles,
   and require [additional configuration](https://docs.digitalocean.com/products/kubernetes/how-to/set-up-custom-rolebindings/)
@@ -33,6 +36,7 @@ tags:
 parameters:
   - $ref: 'parameters.yml#/kubernetes_cluster_id'
   - $ref: 'parameters.yml#/kubernetes_expiry_seconds'
+  - $ref: 'parameters.yml#/kubernetes_credentials_type'
 
 responses:
   '200':
diff --git a/specification/resources/kubernetes/models/cluster.yml b/specification/resources/kubernetes/models/cluster.yml
index 8290bdfa0..36e21207e 100644
--- a/specification/resources/kubernetes/models/cluster.yml
+++ b/specification/resources/kubernetes/models/cluster.yml
@@ -164,6 +164,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: "cluster_autoscaler_configuration.yml"
 
+  sso:
+    $ref: "sso.yml"
+
   routing_agent:
     $ref: "routing_agent.yml"
 
diff --git a/specification/resources/kubernetes/models/cluster_read.yml b/specification/resources/kubernetes/models/cluster_read.yml
index 57025d447..26b47bc9a 100644
--- a/specification/resources/kubernetes/models/cluster_read.yml
+++ b/specification/resources/kubernetes/models/cluster_read.yml
@@ -175,6 +175,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: "cluster_autoscaler_configuration.yml"
 
+  sso:
+    $ref: "sso.yml"
+
   routing_agent:
     $ref: "routing_agent.yml"
 
diff --git a/specification/resources/kubernetes/models/cluster_update.yml b/specification/resources/kubernetes/models/cluster_update.yml
index 86a16a6ba..29e7f2640 100644
--- a/specification/resources/kubernetes/models/cluster_update.yml
+++ b/specification/resources/kubernetes/models/cluster_update.yml
@@ -53,6 +53,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: 'cluster_autoscaler_configuration.yml'
 
+  sso:
+    $ref: 'sso.yml'
+
   routing_agent:
     $ref: 'routing_agent.yml'
 
diff --git a/specification/resources/kubernetes/models/sso.yml b/specification/resources/kubernetes/models/sso.yml
new file mode 100644
index 000000000..21e43866d
--- /dev/null
+++ b/specification/resources/kubernetes/models/sso.yml
@@ -0,0 +1,33 @@
+type: object
+nullable: true
+description: An object specifying Single Sign-On (SSO) configuration for the Kubernetes cluster.
+properties:
+  enabled:
+    type: boolean
+    default: false
+    description: Indicates whether SSO authentication is enabled for the cluster.
+    example: true
+
+  required:
+    type: boolean
+    default: false
+    description: |
+      Indicates whether any non-SSO forms of authentication are disallowed.
+      Can only be set to `true` when `enabled` is
+      `true`.
+    example: false
+
+  issuer_url:
+    type: string
+    format: uri
+    description: |
+      The OIDC issuer URL for the identity provider. Required when `enabled` is
+      `true`.
+    example: https://sso.example.com
+
+  client_id:
+    type: string
+    description: |
+      The OIDC client ID registered with the identity provider. Required when
+      `enabled` is `true`.
+    example: doks-cluster-client
diff --git a/specification/resources/kubernetes/parameters.yml b/specification/resources/kubernetes/parameters.yml
index 7dd684113..2e5f7cb70 100644
--- a/specification/resources/kubernetes/parameters.yml
+++ b/specification/resources/kubernetes/parameters.yml
@@ -44,6 +44,20 @@ kubernetes_expiry_seconds:
     default: 0
   example: 300
 
+kubernetes_credentials_type:
+  in: query
+  name: type
+  required: false
+  description: |
+    The type of credentials to return in the kubeconfig. When omitted, the
+    default credential type for the cluster is used: `sso` for clusters with SSO enabled, `token` for clusters without SSO enabled.
+  schema:
+    type: string
+    enum:
+      - token
+      - sso
+  example: sso
+
 clusterlint_run_id:
   in: query
   name: run_id
diff --git a/specification/resources/kubernetes/responses/examples.yml b/specification/resources/kubernetes/responses/examples.yml
index d092979a0..f3c395aba 100644
--- a/specification/resources/kubernetes/responses/examples.yml
+++ b/specification/resources/kubernetes/responses/examples.yml
@@ -112,6 +112,11 @@ kubernetes_clusters_all:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -238,6 +243,11 @@ kubernetes_single:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -362,6 +372,11 @@ kubernetes_updated:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -451,6 +466,11 @@ kubernetes_clusters_create_basic_response:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin: