add DOKS SSO fields

specification/resources/kubernetes/kubernetes_get_kubeconfig.yml

@@ -19,9 +19,12 @@ description: |
   passing a duration in seconds as a query parameter to
   `/v2/kubernetes/clusters/$K8S_CLUSTER_ID/kubeconfig?expiry_seconds=$DURATION_IN_SECONDS`.
   If not set or 0, then the token will have a 7 day expiry. The query parameter
-  has no impact in certificate-based authentication.
+  has no impact for other kubeconfig types.
 
-  Kubernetes Roles granted to a user with a token-based kubeconfig are derived from that user's
+  Using an `sso` kubeconfig type requires `doctl` to be installed to handle the client side
+  of the OAuth2 flow.
+
+  Kubernetes Roles granted to a user are derived from that user's
   DigitalOcean role. Predefined roles (Owner, Member, Modifier etc.) have an automatic mapping
   to Kubernetes roles. Custom roles are not automatically mapped to any Kubernetes roles,
   and require [additional configuration](https://docs.digitalocean.com/products/kubernetes/how-to/set-up-custom-rolebindings/)
@@ -33,6 +36,7 @@ tags:
 parameters:
   - $ref: 'parameters.yml#/kubernetes_cluster_id'
   - $ref: 'parameters.yml#/kubernetes_expiry_seconds'
+  - $ref: 'parameters.yml#/kubernetes_credentials_type'
 
 responses:
   '200':

specification/resources/kubernetes/models/cluster.yml

@@ -164,6 +164,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: "cluster_autoscaler_configuration.yml"
 
+  sso:
+    $ref: "sso.yml"
+
   routing_agent:
     $ref: "routing_agent.yml"
 

specification/resources/kubernetes/models/cluster_read.yml

@@ -175,6 +175,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: "cluster_autoscaler_configuration.yml"
 
+  sso:
+    $ref: "sso.yml"
+
   routing_agent:
     $ref: "routing_agent.yml"
 

specification/resources/kubernetes/models/cluster_update.yml

@@ -53,6 +53,9 @@ properties:
   cluster_autoscaler_configuration:
     $ref: 'cluster_autoscaler_configuration.yml'
 
+  sso:
+    $ref: 'sso.yml'
+
   routing_agent:
     $ref: 'routing_agent.yml'
 

specification/resources/kubernetes/models/sso.yml

@@ -0,0 +1,33 @@
+type: object
+nullable: true
+description: An object specifying Single Sign-On (SSO) configuration for the Kubernetes cluster.
+properties:
+  enabled:
+    type: boolean
+    default: false
+    description: Indicates whether SSO authentication is enabled for the cluster.
+    example: true
+
+  required:
+    type: boolean
+    default: false
+    description: |
+      Indicates whether any non-SSO forms of authentication are disallowed.
+      Can only be set to `true` when `enabled` is
+      `true`.
+    example: false
+
+  issuer_url:
+    type: string
+    format: uri
+    description: |
+      The OIDC issuer URL for the identity provider. Required when `enabled` is
+      `true`.
+    example: https://sso.example.com
+
+  client_id:
+    type: string
+    description: |
+      The OIDC client ID registered with the identity provider. Required when
+      `enabled` is `true`.
+    example: doks-cluster-client

specification/resources/kubernetes/parameters.yml

@@ -44,6 +44,20 @@ kubernetes_expiry_seconds:
     default: 0
   example: 300
 
+kubernetes_credentials_type:
+  in: query
+  name: type
+  required: false
+  description: |
+    The type of credentials to return in the kubeconfig. When omitted, the
+    default credential type for the cluster is used: `sso` for clusters with SSO enabled, `token` for clusters without SSO enabled.
+  schema:
+    type: string
+    enum:
+      - token
+      - sso
+  example: sso
+
 clusterlint_run_id:
   in: query
   name: run_id

specification/resources/kubernetes/responses/examples.yml

@@ -112,6 +112,11 @@ kubernetes_clusters_all:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -238,6 +243,11 @@ kubernetes_single:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -362,6 +372,11 @@ kubernetes_updated:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin:
@@ -451,6 +466,11 @@ kubernetes_clusters_create_basic_response:
         expanders:
         - priority
         - random
+      sso:
+        enabled: true
+        required: false
+        issuer_url: https://sso.example.com
+        client_id: doks-cluster-client
       routing_agent:
         enabled: false
       amd_gpu_device_plugin: