diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml new file mode 100644 index 00000000000..ca1d152cf22 --- /dev/null +++ b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml @@ -0,0 +1,942 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "Authentication" +crdName: authentications.config.openshift.io +featureGates: +- ExternalOIDCExternalClaimsSourcing +tests: + onCreate: + - name: Should be able to create a minimal Authentication + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: {} # No spec is required for a Authentication + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: {} + - name: Can set OIDC provider with minimal externalClaimsSources + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + - name: Can set externalClaimsSources with RequestProvidedToken authentication + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: RequestProvidedToken + url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: RequestProvidedToken + url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + - name: Can set externalClaimsSources with ClientCredential authentication + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + - name: Can set externalClaimsSources with ClientCredential authentication with scopes + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - openid + - profile + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - openid + - profile + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + - name: Can set externalClaimsSources with ClientCredential authentication with TLS + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + tls: + certificateAuthority: + name: my-ca-secret + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + tls: + certificateAuthority: + name: my-ca-secret + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + - name: Can set externalClaimsSources with predicates + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + predicates: + - expression: "claims.iss == 'https://meh.tld'" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + predicates: + - expression: "claims.iss == 'https://meh.tld'" + - name: Can set externalClaimsSources with top-level TLS + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + tls: + certificateAuthority: + name: external-ca-secret + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + tls: + certificateAuthority: + name: external-ca-secret + - name: Can set hostname with a valid port + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com:8443 + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com:8443 + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + - name: Cannot set externalClaimsSources with missing clientCredential when type is ClientCredential + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "clientCredential is required when type is ClientCredential, and forbidden otherwise" + - name: Cannot set externalClaimsSources with clientCredential when type is RequestProvidedToken + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: RequestProvidedToken + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expectedError: "clientCredential is required when type is ClientCredential, and forbidden otherwise" + - name: Cannot set tokenEndpoint that is not a valid URL + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: not-a-url + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must be a valid HTTPS url" + - name: Cannot set tokenEndpoint that is not https + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: http://auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must be a valid HTTPS url" + - name: Cannot set tokenEndpoint without a hostname + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https:///oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must have a hostname" + - name: Cannot set tokenEndpoint without a path + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must have a path" + - name: Cannot set tokenEndpoint with query parameters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token?grant_type=client_credentials + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must not have query parameters" + - name: Cannot set tokenEndpoint with a fragment + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token#frag + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must not have a fragment" + - name: Cannot set tokenEndpoint with user info + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://user:pass@auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "tokenEndpoint must not have user info" + - name: Cannot set clientID with non-printable ASCII characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: "my-client\tid" + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "clientID must only contain printable ASCII characters" + - name: Cannot set clientSecret name with invalid DNS characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: "INVALID_SECRET!" + tokenEndpoint: https://auth.example.com/oauth2/token + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + - name: Cannot set scope with space characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - "openid profile" + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" + - name: Cannot set scope with double quote characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - 'scope"value' + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" + - name: Cannot set scope with backslash characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - 'scope\value' + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" + - name: Cannot duplicate scopes + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - authentication: + type: ClientCredential + clientCredential: + clientID: my-client-id + clientSecret: + name: my-client-secret + tokenEndpoint: https://auth.example.com/oauth2/token + scopes: + - myscope + - myscope + url: + hostname: graph.example.com + pathExpression: "['v1.0', 'me']" + mappings: + - name: display_name + expression: "response.displayName" + expectedError: "Duplicate value: \"myscope\"" + - name: Cannot set hostname that is not a valid hostname + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: "not a valid hostname!" + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expectedError: "hostname must be a valid hostname" + - name: Cannot set hostname with invalid DNS characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: UPPER.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expectedError: "hostname before port must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + - name: Cannot set hostname with port exceeding 65535 + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com:99999 + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + expectedError: "port must not exceed 65535" + - name: Cannot set certificateAuthority name with invalid DNS characters + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + externalClaimsSources: + - url: + hostname: userinfo.example.com + pathExpression: "['userinfo']" + mappings: + - name: email + expression: "response.email" + tls: + certificateAuthority: + name: "INVALID_NAME!" + expectedError: "name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 1a036bbb673..e2d18e79810 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -91,6 +91,7 @@ type AuthenticationSpec struct { // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing // +optional OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -245,6 +246,27 @@ type OIDCProvider struct { // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` + + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=5 + // +listType=atomic + ExternalClaimsSources []ExternalClaimsSource `json:"externalClaimsSources,omitempty"` } // +kubebuilder:validation:MinLength=1 @@ -831,3 +853,326 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MaxLength=256 Message string `json:"message,omitempty"` } + +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSource struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used. + // + // +optional + Authentication ExternalSourceAuthentication `json:"authentication,omitzero"` + + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` + + // url is a required configuration of the URL + // for which the external claims are located. + // + // +required + URL SourceURL `json:"url,omitzero"` + + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // TODO: Should this hold true? If so, validate it. + // Entries must have a unique name across all external claim sources. + // + // +required + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Mappings []SourcedClaimMapping `json:"mappings,omitempty"` + + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted or empty, claims are always attempted to be fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // + // predicates must not exceed 16 entries. + // Entries must have unique expressions. + // + // +optional + // +listType=map + // +listMapKey=expression + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Predicates []ExternalSourcePredicate `json:"predicates,omitempty"` +} + +// ExternalSourceAuthenticationType is the type of authentication that should be used +// when fetching claims from an external source. +// +// +enum +// +kubebuilder:validation:Enum=RequestProvidedToken;ClientCredential +type ExternalSourceAuthenticationType string + +const ( + // ExternalSourceAuthenticationTypeRequestProvidedToken is an ExternalSourceAuthenticationType + // that represents that the token being evaluated for authentication + // should be used for authenticating with the external claims source. + // This is useful for scenarios where a token has multiple audiences + // and scopes so that it can be used to access both the cluster and + // the UserInfo endpoint that contains additional information about the + // user not present in the token. + ExternalSourceAuthenticationTypeRequestProvidedToken ExternalSourceAuthenticationType = "RequestProvidedToken" + + // ExternalSourceAuthenticationTypeClientCredential is an ExternalSourceAuthenticationType + // that represents that the authenticator should use the OAuth2 + // client credentials grant flow to obtain an access token for + // authenticating with the external claims source. + // This is useful for scenarios such as fetching user information + // from Microsoft's Graph API where a separate client credential + // is needed to access the API. + ExternalSourceAuthenticationTypeClientCredential ExternalSourceAuthenticationType = "ClientCredential" +) + +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +// +// +kubebuilder:validation:XValidation:rule="self.type == 'ClientCredential' ? has(self.clientCredential) : !has(self.clientCredential)",message="clientCredential is required when type is ClientCredential, and forbidden otherwise" +type ExternalSourceAuthentication struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + // + // +required + Type ExternalSourceAuthenticationType `json:"type,omitempty"` + + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + // + // +optional + ClientCredential ClientCredentialConfig `json:"clientCredential,omitzero"` +} + +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLS struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // + // +required + CertificateAuthority ExternalSourceCertificateAuthorityConfigMapReference `json:"certificateAuthority,omitzero"` +} + +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfig struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[[:print:]]+$')",message="clientID must only contain printable ASCII characters" + ClientID string `json:"clientID,omitempty"` + + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + // + // +required + ClientSecret ClientSecretSecretReference `json:"clientSecret,omitzero"` + + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=2048 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getHost() != ''",message="tokenEndpoint must have a hostname" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getEscapedPath() != ''",message="tokenEndpoint must have a path" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="tokenEndpoint must not have query parameters" + // +kubebuilder:validation:XValidation:rule="self.find('#(.+)$') == ''",message="tokenEndpoint must not have a fragment" + // +kubebuilder:validation:XValidation:rule="self.find('@') == ''",message="tokenEndpoint must not have user info" + TokenEndpoint string `json:"tokenEndpoint,omitempty"` + + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + // +listType=set + Scopes []OAuth2Scope `json:"scopes,omitempty"` + + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` +} + +// OAuth2Scope is a string alias that represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 +// +// +kubebuilder:validation:XValidation:rule="self.matches('^[!#-[\\\\]-~]+$')",message="scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=256 +type OAuth2Scope string + +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURL struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname must be at least 1 character in length and must not exceed 253 characters in length. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="isURL('https://'+self)",message="hostname must be a valid hostname" + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self.split(':')[0]).hasValue()",message="hostname before port must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + // +kubebuilder:validation:XValidation:rule="self.split(':').size() > 1 ? int(self.split(':')[1]) <= 65535 : true",message="port must not exceed 65535" + Hostname string `json:"hostname,omitempty"` + + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + PathExpression string `json:"pathExpression,omitempty"` +} + +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMapping struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z_]+$')",message="name must consist of only lowercase alpha characters and underscores" + Name string `json:"name,omitempty"` + + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response` variable. + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicate struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// CertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReference struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} + +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReference struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index cd737e2727f..b4a8fc2d23b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -446,6 +446,386 @@ spec: ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic + externalClaimsSources: + description: |- + externalClaimsSources is an optional field that can be used to configure + sources, external to the token provided in a request, in which claims + should be fetched from and made available to the claim mapping process + that is used to build the identity of a token holder. + + For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + + When not specified, only claims present in the token itself will be available + in the claim mapping process. + + When specified, at least one external claim source must be specified and no more than 5 + sources may be specified. + items: + description: ExternalClaimsSource provides the configuration + for a single external claim source. + properties: + authentication: + description: |- + authentication is an optional field that configures how the apiserver authenticates with an external claims source. + When not specified, anonymous authentication is used. + properties: + clientCredential: + description: |- + clientCredential configures the client credentials + and token endpoint to use to get an access token. + clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + properties: + clientID: + description: |- + clientID is a required client identifier to use during the OAuth2 client credentials flow. + clientID must be at least 1 character in length, must not exceed 256 characters in length, + and must only contain printable ASCII characters. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: clientID must only contain printable + ASCII characters + rule: self.matches('^[[:print:]]+$') + clientSecret: + description: |- + clientSecret is a required reference to a Secret in the openshift-config namespace to be used + as the client secret during the OAuth2 client credentials flow. + + The key 'client-secret' is used to locate the client secret data in the Secret. + properties: + name: + description: |- + name is the required name of the Secret that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a + lowercase alphanumeric character, and + must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + scopes: + description: |- + scopes is an optional list of OAuth2 scopes to request when obtaining + an access token. + + If not specified, the token endpoint's default scopes + will be used. + + When specified, there must be at least 1 entry and must not exceed 16 entries. + Each entry must be at least 1 character in length and must not exceed 256 characters in length. + Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + Entries must be unique. + items: + description: OAuth2Scope is a string alias that + represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: scopes must only contain printable + ASCII characters excluding spaces, double + quotes and backslashes + rule: self.matches('^[!#-[\\]-~]+$') + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: set + tls: + description: |- + tls is an optional field that allows configuring the TLS + settings used to interact with the identity provider + as an OAuth2 client. + + When omitted, system default TLS settings will be used + for the OAuth2 client. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with + a lowercase alphanumeric character, + and must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + tokenEndpoint: + description: |- + tokenEndpoint is a required URL to query for an access token using + the client credential OAuth2 flow. + tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + tokenEndpoint must be a valid HTTPS URL. + tokenEndpoint must have a host and a path. + tokenEndpoint must not contain query parameters, fragments, + or user information (e.g., "user:password@host"). + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) && url(self).getScheme() == + 'https' + - message: tokenEndpoint must have a hostname + rule: isURL(self) && url(self).getHost() != + '' + - message: tokenEndpoint must have a path + rule: isURL(self) && url(self).getEscapedPath() + != '' + - message: tokenEndpoint must not have query parameters + rule: isURL(self) && url(self).getQuery() == + {} + - message: tokenEndpoint must not have a fragment + rule: self.find('#(.+)$') == '' + - message: tokenEndpoint must not have user info + rule: self.find('@') == '' + required: + - clientID + - clientSecret + - tokenEndpoint + type: object + type: + description: |- + type is a required field that sets the type of + authentication method used by the authenticator + when fetching external claims. + + Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + + When set to 'RequestProvidedToken', the authenticator will + use the token provided to the kube-apiserver as part of the + request to authenticate with the external claims source. + + When set to 'ClientCredential', the authenticator will + use the configured client-id, client-secret, and token endpoint + to fetch an access token using the OAuth2 client credentials grant + flow. The fetched access token will then be used to authenticate + with the external claims source. + enum: + - RequestProvidedToken + - ClientCredential + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: clientCredential is required when type is ClientCredential, + and forbidden otherwise + rule: 'self.type == ''ClientCredential'' ? has(self.clientCredential) + : !has(self.clientCredential)' + mappings: + description: |- + mappings is a required list of the claim + and response handling expression pairs + that produces the claims from the external source. + mappings must have at least 1 entry and must not exceed 16 entries. + Entries must have a unique name across all external claim sources. + items: + description: |- + SourcedClaimMapping configures the mapping behavior for a single external claim + from the response the apiserver received from the external claim source. + properties: + expression: + description: |- + expression is a required CEL expression that + will produce a value to be assigned to the claim. + The full response body from the request to the + external claim source is provided via the + `response` variable. + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + name: + description: |- + name is a required name of the claim that + will be produced and made available during + the claim-to-identity mapping process. + name must consist of only lowercase alpha characters and underscores ('_'). + name must be at least 1 character and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist of only lowercase alpha + characters and underscores + rule: self.matches('^[a-z_]+$') + required: + - expression + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + predicates: + description: |- + predicates is an optional list of constraints in + which claims should attempt to be fetched from this + external source. + + When omitted or empty, claims are always attempted to be fetched + from this external source. + + When specified, all predicates must evaluate to 'true' + before claims are attempted to be fetched from this external source. + + predicates must not exceed 16 entries. + Entries must have unique expressions. + items: + description: |- + ExternalSourcePredicate configures a singular condition + that must return true before the external source is queried + to retrieve external claims. + properties: + expression: + description: |- + expression is a required CEL expression that + is used to determine whether or not an external + source should be used to fetch external claims. + + The expression must return a boolean value, + where true means that the source should be consulted + and false means that it should not. + + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + required: + - expression + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + tls: + description: |- + tls is an optional field that configures the http client TLS + settings when fetching external claims from this source. + + When omitted, system default TLS settings will be used + for fetching claims from the external source. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a lowercase + alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or + '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + url: + description: |- + url is a required configuration of the URL + for which the external claims are located. + properties: + hostname: + description: |- + hostname is a required hostname for which the external claims are located. + + It must be a valid DNS subdomain name as per RFC1123. + + This means that it must start and end with a lowercase alphanumeric character, + must only consist of lowercase alphanumeric characters, '-', and '.'. + hostname must be at least 1 character in length and must not exceed 253 characters in length. + hostname may optionally specify a port in the format ':{port}'. + If a port is specified it must not exceed 65535. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: hostname must be a valid hostname + rule: isURL('https://'+self) + - message: hostname before port must start and end + with a lowercase alphanumeric character, and must + only contain lowercase alphanumeric characters, + '-' or '.' + rule: '!format.dns1123Subdomain().validate(self.split('':'')[0]).hasValue()' + - message: port must not exceed 65535 + rule: 'self.split('':'').size() > 1 ? int(self.split('':'')[1]) + <= 65535 : true' + pathExpression: + description: |- + pathExpression is a required CEL expression that returns a list + of string values used to construct the URL path. + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + expression must be at least 1 character in length and must not exceed 1024 characters in length. + + Values in the returned list will be joined with the hostname using a forward slash + (`/`) as a separator. Values in the returned list do not need to include the forward slash. + maxLength: 1024 + minLength: 1 + type: string + required: + - hostname + - pathExpression + type: object + required: + - mappings + - url + type: object + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: atomic issuer: description: issuer is a required field that configures how the platform interacts with the identity provider and how diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index bf116984ffd..90f737f2737 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -446,6 +446,386 @@ spec: ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic + externalClaimsSources: + description: |- + externalClaimsSources is an optional field that can be used to configure + sources, external to the token provided in a request, in which claims + should be fetched from and made available to the claim mapping process + that is used to build the identity of a token holder. + + For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + + When not specified, only claims present in the token itself will be available + in the claim mapping process. + + When specified, at least one external claim source must be specified and no more than 5 + sources may be specified. + items: + description: ExternalClaimsSource provides the configuration + for a single external claim source. + properties: + authentication: + description: |- + authentication is an optional field that configures how the apiserver authenticates with an external claims source. + When not specified, anonymous authentication is used. + properties: + clientCredential: + description: |- + clientCredential configures the client credentials + and token endpoint to use to get an access token. + clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + properties: + clientID: + description: |- + clientID is a required client identifier to use during the OAuth2 client credentials flow. + clientID must be at least 1 character in length, must not exceed 256 characters in length, + and must only contain printable ASCII characters. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: clientID must only contain printable + ASCII characters + rule: self.matches('^[[:print:]]+$') + clientSecret: + description: |- + clientSecret is a required reference to a Secret in the openshift-config namespace to be used + as the client secret during the OAuth2 client credentials flow. + + The key 'client-secret' is used to locate the client secret data in the Secret. + properties: + name: + description: |- + name is the required name of the Secret that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a + lowercase alphanumeric character, and + must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + scopes: + description: |- + scopes is an optional list of OAuth2 scopes to request when obtaining + an access token. + + If not specified, the token endpoint's default scopes + will be used. + + When specified, there must be at least 1 entry and must not exceed 16 entries. + Each entry must be at least 1 character in length and must not exceed 256 characters in length. + Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + Entries must be unique. + items: + description: OAuth2Scope is a string alias that + represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: scopes must only contain printable + ASCII characters excluding spaces, double + quotes and backslashes + rule: self.matches('^[!#-[\\]-~]+$') + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: set + tls: + description: |- + tls is an optional field that allows configuring the TLS + settings used to interact with the identity provider + as an OAuth2 client. + + When omitted, system default TLS settings will be used + for the OAuth2 client. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with + a lowercase alphanumeric character, + and must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + tokenEndpoint: + description: |- + tokenEndpoint is a required URL to query for an access token using + the client credential OAuth2 flow. + tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + tokenEndpoint must be a valid HTTPS URL. + tokenEndpoint must have a host and a path. + tokenEndpoint must not contain query parameters, fragments, + or user information (e.g., "user:password@host"). + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) && url(self).getScheme() == + 'https' + - message: tokenEndpoint must have a hostname + rule: isURL(self) && url(self).getHost() != + '' + - message: tokenEndpoint must have a path + rule: isURL(self) && url(self).getEscapedPath() + != '' + - message: tokenEndpoint must not have query parameters + rule: isURL(self) && url(self).getQuery() == + {} + - message: tokenEndpoint must not have a fragment + rule: self.find('#(.+)$') == '' + - message: tokenEndpoint must not have user info + rule: self.find('@') == '' + required: + - clientID + - clientSecret + - tokenEndpoint + type: object + type: + description: |- + type is a required field that sets the type of + authentication method used by the authenticator + when fetching external claims. + + Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + + When set to 'RequestProvidedToken', the authenticator will + use the token provided to the kube-apiserver as part of the + request to authenticate with the external claims source. + + When set to 'ClientCredential', the authenticator will + use the configured client-id, client-secret, and token endpoint + to fetch an access token using the OAuth2 client credentials grant + flow. The fetched access token will then be used to authenticate + with the external claims source. + enum: + - RequestProvidedToken + - ClientCredential + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: clientCredential is required when type is ClientCredential, + and forbidden otherwise + rule: 'self.type == ''ClientCredential'' ? has(self.clientCredential) + : !has(self.clientCredential)' + mappings: + description: |- + mappings is a required list of the claim + and response handling expression pairs + that produces the claims from the external source. + mappings must have at least 1 entry and must not exceed 16 entries. + Entries must have a unique name across all external claim sources. + items: + description: |- + SourcedClaimMapping configures the mapping behavior for a single external claim + from the response the apiserver received from the external claim source. + properties: + expression: + description: |- + expression is a required CEL expression that + will produce a value to be assigned to the claim. + The full response body from the request to the + external claim source is provided via the + `response` variable. + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + name: + description: |- + name is a required name of the claim that + will be produced and made available during + the claim-to-identity mapping process. + name must consist of only lowercase alpha characters and underscores ('_'). + name must be at least 1 character and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist of only lowercase alpha + characters and underscores + rule: self.matches('^[a-z_]+$') + required: + - expression + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + predicates: + description: |- + predicates is an optional list of constraints in + which claims should attempt to be fetched from this + external source. + + When omitted or empty, claims are always attempted to be fetched + from this external source. + + When specified, all predicates must evaluate to 'true' + before claims are attempted to be fetched from this external source. + + predicates must not exceed 16 entries. + Entries must have unique expressions. + items: + description: |- + ExternalSourcePredicate configures a singular condition + that must return true before the external source is queried + to retrieve external claims. + properties: + expression: + description: |- + expression is a required CEL expression that + is used to determine whether or not an external + source should be used to fetch external claims. + + The expression must return a boolean value, + where true means that the source should be consulted + and false means that it should not. + + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + required: + - expression + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + tls: + description: |- + tls is an optional field that configures the http client TLS + settings when fetching external claims from this source. + + When omitted, system default TLS settings will be used + for fetching claims from the external source. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a lowercase + alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or + '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + url: + description: |- + url is a required configuration of the URL + for which the external claims are located. + properties: + hostname: + description: |- + hostname is a required hostname for which the external claims are located. + + It must be a valid DNS subdomain name as per RFC1123. + + This means that it must start and end with a lowercase alphanumeric character, + must only consist of lowercase alphanumeric characters, '-', and '.'. + hostname must be at least 1 character in length and must not exceed 253 characters in length. + hostname may optionally specify a port in the format ':{port}'. + If a port is specified it must not exceed 65535. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: hostname must be a valid hostname + rule: isURL('https://'+self) + - message: hostname before port must start and end + with a lowercase alphanumeric character, and must + only contain lowercase alphanumeric characters, + '-' or '.' + rule: '!format.dns1123Subdomain().validate(self.split('':'')[0]).hasValue()' + - message: port must not exceed 65535 + rule: 'self.split('':'').size() > 1 ? int(self.split('':'')[1]) + <= 65535 : true' + pathExpression: + description: |- + pathExpression is a required CEL expression that returns a list + of string values used to construct the URL path. + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + expression must be at least 1 character in length and must not exceed 1024 characters in length. + + Values in the returned list will be joined with the hostname using a forward slash + (`/`) as a separator. Values in the returned list do not need to include the forward slash. + maxLength: 1024 + minLength: 1 + type: string + required: + - hostname + - pathExpression + type: object + required: + - mappings + - url + type: object + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: atomic issuer: description: issuer is a required field that configures how the platform interacts with the identity provider and how diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 84aae76e22e..bca5d18192c 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -940,6 +940,45 @@ func (in *ClientConnectionOverrides) DeepCopy() *ClientConnectionOverrides { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientCredentialConfig) DeepCopyInto(out *ClientCredentialConfig) { + *out = *in + out.ClientSecret = in.ClientSecret + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]OAuth2Scope, len(*in)) + copy(*out, *in) + } + out.TLS = in.TLS + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCredentialConfig. +func (in *ClientCredentialConfig) DeepCopy() *ClientCredentialConfig { + if in == nil { + return nil + } + out := new(ClientCredentialConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientSecretSecretReference) DeepCopyInto(out *ClientSecretSecretReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientSecretSecretReference. +func (in *ClientSecretSecretReference) DeepCopy() *ClientSecretSecretReference { + if in == nil { + return nil + } + out := new(ClientSecretSecretReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudControllerManagerStatus) DeepCopyInto(out *CloudControllerManagerStatus) { *out = *in @@ -2087,6 +2126,35 @@ func (in *EtcdStorageConfig) DeepCopy() *EtcdStorageConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalClaimsSource) DeepCopyInto(out *ExternalClaimsSource) { + *out = *in + in.Authentication.DeepCopyInto(&out.Authentication) + out.TLS = in.TLS + out.URL = in.URL + if in.Mappings != nil { + in, out := &in.Mappings, &out.Mappings + *out = make([]SourcedClaimMapping, len(*in)) + copy(*out, *in) + } + if in.Predicates != nil { + in, out := &in.Predicates, &out.Predicates + *out = make([]ExternalSourcePredicate, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalClaimsSource. +func (in *ExternalClaimsSource) DeepCopy() *ExternalClaimsSource { + if in == nil { + return nil + } + out := new(ExternalClaimsSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalIPConfig) DeepCopyInto(out *ExternalIPConfig) { *out = *in @@ -2172,6 +2240,72 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceAuthentication) DeepCopyInto(out *ExternalSourceAuthentication) { + *out = *in + in.ClientCredential.DeepCopyInto(&out.ClientCredential) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceAuthentication. +func (in *ExternalSourceAuthentication) DeepCopy() *ExternalSourceAuthentication { + if in == nil { + return nil + } + out := new(ExternalSourceAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopyInto(out *ExternalSourceCertificateAuthorityConfigMapReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceCertificateAuthorityConfigMapReference. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopy() *ExternalSourceCertificateAuthorityConfigMapReference { + if in == nil { + return nil + } + out := new(ExternalSourceCertificateAuthorityConfigMapReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourcePredicate) DeepCopyInto(out *ExternalSourcePredicate) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourcePredicate. +func (in *ExternalSourcePredicate) DeepCopy() *ExternalSourcePredicate { + if in == nil { + return nil + } + out := new(ExternalSourcePredicate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceTLS) DeepCopyInto(out *ExternalSourceTLS) { + *out = *in + out.CertificateAuthority = in.CertificateAuthority + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceTLS. +func (in *ExternalSourceTLS) DeepCopy() *ExternalSourceTLS { + if in == nil { + return nil + } + out := new(ExternalSourceTLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { *out = *in @@ -4828,6 +4962,13 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = make([]TokenUserValidationRule, len(*in)) copy(*out, *in) } + if in.ExternalClaimsSources != nil { + in, out := &in.ExternalClaimsSources, &out.ExternalClaimsSources + *out = make([]ExternalClaimsSource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -6168,6 +6309,38 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourceURL) DeepCopyInto(out *SourceURL) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURL. +func (in *SourceURL) DeepCopy() *SourceURL { + if in == nil { + return nil + } + out := new(SourceURL) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourcedClaimMapping) DeepCopyInto(out *SourcedClaimMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcedClaimMapping. +func (in *SourcedClaimMapping) DeepCopy() *SourcedClaimMapping { + if in == nil { + return nil + } + out := new(SourcedClaimMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Storage) DeepCopyInto(out *Storage) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index 75233bff73f..9744044bdf2 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -31,6 +31,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCExternalClaimsSourcing - ExternalOIDCWithUIDAndExtraClaimMappings - ExternalOIDCWithUpstreamParity FilenameOperatorName: config-operator diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml new file mode 100644 index 00000000000..944daef43e5 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml @@ -0,0 +1,882 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/ExternalOIDCExternalClaimsSourcing: "true" + release.openshift.io/bootstrap-required: "true" + name: authentications.config.openshift.io +spec: + group: config.openshift.io + names: + kind: Authentication + listKind: AuthenticationList + plural: authentications + singular: authentication + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + Authentication specifies cluster-wide settings for authentication (like OAuth and + webhook token authenticators). The canonical name of an instance is `cluster`. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + oauthMetadata: + description: |- + oauthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for an external OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + If oauthMetadata.name is non-empty, this value has precedence + over any metadata reference stored in status. + The key "oauthMetadata" is used to locate the data. + If specified and the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + oidcProviders: + description: |- + oidcProviders are OIDC identity providers that can issue tokens for this cluster + Can only be set if "Type" is set to "OIDC". + + At most one provider can be configured. + items: + properties: + claimMappings: + description: claimMappings is a required field that configures + the rules to be used by the Kubernetes API server for translating + claims in a JWT token, issued by the identity provider, to + a cluster identity. + properties: + groups: + description: |- + groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. + + When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). + + For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. + properties: + claim: + description: |- + claim is an optional field for specifying the JWT token claim that is used in the mapping. + The value of this claim will be assigned to the field in which this mapping is associated. + claim must not exceed 256 characters in length. + When set to the empty string `""`, this means that no named claim should be used for the group mapping. + claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. + maxLength: 256 + type: string + prefix: + description: |- + prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. + + When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. + Must not be set to a non-empty value when expression is set. + + Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". + type: string + type: object + username: + description: username is a required field that configures + how the username of a cluster identity should be constructed + from the claims in a JWT token issued by the identity + provider. + properties: + claim: + description: |- + claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. + When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. + + claim must not be an empty string ("") and must not exceed 256 characters. + maxLength: 256 + minLength: 1 + type: string + prefix: + description: |- + prefix configures the prefix that should be prepended to the value of the JWT claim. + + prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. + properties: + prefixString: + description: |- + prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. + + prefixString must not be an empty string (""). + minLength: 1 + type: string + required: + - prefixString + type: object + prefixPolicy: + description: |- + prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. + + Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). + + When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. + The prefix field must be set when prefixPolicy is 'Prefix'. + Must not be set to 'Prefix' when expression is set. + When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. + When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. + Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. + + As an example, consider the following scenario: + + `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, + the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", + and `claim` is set to: + - "username": the mapped value will be "https://myoidc.tld#userA" + - "email": the mapped value will be "userA@myoidc.tld" + enum: + - "" + - NoPrefix + - Prefix + type: string + type: object + x-kubernetes-validations: + - message: prefix must be set if prefixPolicy is 'Prefix', + but must remain unset otherwise + rule: 'has(self.prefixPolicy) && self.prefixPolicy == + ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) + > 0) : !has(self.prefix)' + required: + - username + type: object + claimValidationRules: + description: |- + claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. + + Validation rules are joined via an AND operation. + items: + description: |- + TokenClaimValidationRule represents a validation rule based on token claims. + If type is RequiredClaim, requiredClaim must be set. + If Type is CEL, CEL must be set and RequiredClaim must be omitted. + properties: + requiredClaim: + description: |- + requiredClaim allows configuring a required claim name and its expected value. + This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. + The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. + properties: + claim: + description: |- + claim is a required field that configures the name of the required claim. + When taken from the JWT claims, claim must be a string value. + + claim must not be an empty string (""). + minLength: 1 + type: string + requiredValue: + description: |- + requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. + If the value in the JWT claims does not match, the token will be rejected for authentication. + + requiredValue must not be an empty string (""). + minLength: 1 + type: string + required: + - claim + - requiredValue + type: object + type: + description: |- + type is an optional field that configures the type of the validation rule. + + Allowed values are "RequiredClaim" and "CEL". + + When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. + + When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: requiredClaim must be set when type is 'RequiredClaim', + and forbidden otherwise + rule: 'has(self.type) && self.type == ''RequiredClaim'' + ? has(self.requiredClaim) : !has(self.requiredClaim)' + type: array + x-kubernetes-list-type: atomic + externalClaimsSources: + description: |- + externalClaimsSources is an optional field that can be used to configure + sources, external to the token provided in a request, in which claims + should be fetched from and made available to the claim mapping process + that is used to build the identity of a token holder. + + For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + + When not specified, only claims present in the token itself will be available + in the claim mapping process. + + When specified, at least one external claim source must be specified and no more than 5 + sources may be specified. + items: + description: ExternalClaimsSource provides the configuration + for a single external claim source. + properties: + authentication: + description: |- + authentication is an optional field that configures how the apiserver authenticates with an external claims source. + When not specified, anonymous authentication is used. + properties: + clientCredential: + description: |- + clientCredential configures the client credentials + and token endpoint to use to get an access token. + clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + properties: + clientID: + description: |- + clientID is a required client identifier to use during the OAuth2 client credentials flow. + clientID must be at least 1 character in length, must not exceed 256 characters in length, + and must only contain printable ASCII characters. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: clientID must only contain printable + ASCII characters + rule: self.matches('^[[:print:]]+$') + clientSecret: + description: |- + clientSecret is a required reference to a Secret in the openshift-config namespace to be used + as the client secret during the OAuth2 client credentials flow. + + The key 'client-secret' is used to locate the client secret data in the Secret. + properties: + name: + description: |- + name is the required name of the Secret that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a + lowercase alphanumeric character, and + must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + scopes: + description: |- + scopes is an optional list of OAuth2 scopes to request when obtaining + an access token. + + If not specified, the token endpoint's default scopes + will be used. + + When specified, there must be at least 1 entry and must not exceed 16 entries. + Each entry must be at least 1 character in length and must not exceed 256 characters in length. + Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + Entries must be unique. + items: + description: OAuth2Scope is a string alias that + represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: scopes must only contain printable + ASCII characters excluding spaces, double + quotes and backslashes + rule: self.matches('^[!#-[\\]-~]+$') + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: set + tls: + description: |- + tls is an optional field that allows configuring the TLS + settings used to interact with the identity provider + as an OAuth2 client. + + When omitted, system default TLS settings will be used + for the OAuth2 client. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with + a lowercase alphanumeric character, + and must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + tokenEndpoint: + description: |- + tokenEndpoint is a required URL to query for an access token using + the client credential OAuth2 flow. + tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + tokenEndpoint must be a valid HTTPS URL. + tokenEndpoint must have a host and a path. + tokenEndpoint must not contain query parameters, fragments, + or user information (e.g., "user:password@host"). + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) && url(self).getScheme() == + 'https' + - message: tokenEndpoint must have a hostname + rule: isURL(self) && url(self).getHost() != + '' + - message: tokenEndpoint must have a path + rule: isURL(self) && url(self).getEscapedPath() + != '' + - message: tokenEndpoint must not have query parameters + rule: isURL(self) && url(self).getQuery() == + {} + - message: tokenEndpoint must not have a fragment + rule: self.find('#(.+)$') == '' + - message: tokenEndpoint must not have user info + rule: self.find('@') == '' + required: + - clientID + - clientSecret + - tokenEndpoint + type: object + type: + description: |- + type is a required field that sets the type of + authentication method used by the authenticator + when fetching external claims. + + Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + + When set to 'RequestProvidedToken', the authenticator will + use the token provided to the kube-apiserver as part of the + request to authenticate with the external claims source. + + When set to 'ClientCredential', the authenticator will + use the configured client-id, client-secret, and token endpoint + to fetch an access token using the OAuth2 client credentials grant + flow. The fetched access token will then be used to authenticate + with the external claims source. + enum: + - RequestProvidedToken + - ClientCredential + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: clientCredential is required when type is ClientCredential, + and forbidden otherwise + rule: 'self.type == ''ClientCredential'' ? has(self.clientCredential) + : !has(self.clientCredential)' + mappings: + description: |- + mappings is a required list of the claim + and response handling expression pairs + that produces the claims from the external source. + mappings must have at least 1 entry and must not exceed 16 entries. + Entries must have a unique name across all external claim sources. + items: + description: |- + SourcedClaimMapping configures the mapping behavior for a single external claim + from the response the apiserver received from the external claim source. + properties: + expression: + description: |- + expression is a required CEL expression that + will produce a value to be assigned to the claim. + The full response body from the request to the + external claim source is provided via the + `response` variable. + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + name: + description: |- + name is a required name of the claim that + will be produced and made available during + the claim-to-identity mapping process. + name must consist of only lowercase alpha characters and underscores ('_'). + name must be at least 1 character and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist of only lowercase alpha + characters and underscores + rule: self.matches('^[a-z_]+$') + required: + - expression + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + predicates: + description: |- + predicates is an optional list of constraints in + which claims should attempt to be fetched from this + external source. + + When omitted or empty, claims are always attempted to be fetched + from this external source. + + When specified, all predicates must evaluate to 'true' + before claims are attempted to be fetched from this external source. + + predicates must not exceed 16 entries. + Entries must have unique expressions. + items: + description: |- + ExternalSourcePredicate configures a singular condition + that must return true before the external source is queried + to retrieve external claims. + properties: + expression: + description: |- + expression is a required CEL expression that + is used to determine whether or not an external + source should be used to fetch external claims. + + The expression must return a boolean value, + where true means that the source should be consulted + and false means that it should not. + + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + required: + - expression + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + tls: + description: |- + tls is an optional field that configures the http client TLS + settings when fetching external claims from this source. + + When omitted, system default TLS settings will be used + for fetching claims from the external source. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a lowercase + alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or + '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + url: + description: |- + url is a required configuration of the URL + for which the external claims are located. + properties: + hostname: + description: |- + hostname is a required hostname for which the external claims are located. + + It must be a valid DNS subdomain name as per RFC1123. + + This means that it must start and end with a lowercase alphanumeric character, + must only consist of lowercase alphanumeric characters, '-', and '.'. + hostname must be at least 1 character in length and must not exceed 253 characters in length. + hostname may optionally specify a port in the format ':{port}'. + If a port is specified it must not exceed 65535. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: hostname must be a valid hostname + rule: isURL('https://'+self) + - message: hostname before port must start and end + with a lowercase alphanumeric character, and must + only contain lowercase alphanumeric characters, + '-' or '.' + rule: '!format.dns1123Subdomain().validate(self.split('':'')[0]).hasValue()' + - message: port must not exceed 65535 + rule: 'self.split('':'').size() > 1 ? int(self.split('':'')[1]) + <= 65535 : true' + pathExpression: + description: |- + pathExpression is a required CEL expression that returns a list + of string values used to construct the URL path. + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + expression must be at least 1 character in length and must not exceed 1024 characters in length. + + Values in the returned list will be joined with the hostname using a forward slash + (`/`) as a separator. Values in the returned list do not need to include the forward slash. + maxLength: 1024 + minLength: 1 + type: string + required: + - hostname + - pathExpression + type: object + required: + - mappings + - url + type: object + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + issuer: + description: issuer is a required field that configures how + the platform interacts with the identity provider and how + tokens issued from the identity provider are evaluated by + the Kubernetes API server. + properties: + audiences: + description: |- + audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. + At least one of the entries must match the 'aud' claim in the JWT token. + + audiences must contain at least one entry and must not exceed ten entries. + items: + minLength: 1 + type: string + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: set + issuerCertificateAuthority: + description: |- + issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. + + When not specified, the system trust is used. + + When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. + properties: + name: + description: name is the metadata.name of the referenced + config map + type: string + required: + - name + type: object + issuerURL: + description: |- + issuerURL is a required field that configures the URL used to issue tokens by the identity provider. + The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. + + Must be at least 1 character and must not exceed 512 characters in length. + Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + - message: must use the 'https' scheme + rule: isURL(self) && url(self).getScheme() == 'https' + - message: must not have a query + rule: isURL(self) && url(self).getQuery() == {} + - message: must not have a fragment + rule: self.find('#(.+)$') == '' + - message: must not have user info + rule: self.find('@') == '' + required: + - audiences + - issuerURL + type: object + name: + description: |- + name is a required field that configures the unique human-readable identifier associated with the identity provider. + It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. + + name must not be an empty string (""). + minLength: 1 + type: string + oidcClients: + description: |- + oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. + oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. + items: + description: OIDCClientConfig configures how platform clients + interact with identity providers as an authentication method. + properties: + clientID: + description: |- + clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. + The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. + + clientID must not be an empty string (""). + minLength: 1 + type: string + clientSecret: + description: |- + clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. + + When not specified, no client secret will be used when making authentication requests to the identity provider. + + When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. + + The client secret will be used when making authentication requests to the identity provider. + + Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + componentName: + description: |- + componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. + + It is used in combination with componentNamespace as a unique identifier. + + componentName must not be an empty string ("") and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + componentNamespace: + description: |- + componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. + + It is used in combination with componentName as a unique identifier. + + componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. + maxLength: 63 + minLength: 1 + type: string + extraScopes: + description: |- + extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. + This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. + + When omitted, no additional scopes are requested. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - clientID + - componentName + - componentNamespace + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - componentNamespace + - componentName + x-kubernetes-list-type: map + required: + - claimMappings + - issuer + - name + type: object + maxItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + serviceAccountIssuer: + description: |- + serviceAccountIssuer is the identifier of the bound service account token + issuer. + The default is https://kubernetes.default.svc + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to + be trusted for a time period chosen by the platform (currently set to 24h). + This time period is subject to change over time. + This allows internal components to transition to use new service account issuer without service distruption. + type: string + type: + description: |- + type identifies the cluster managed, user facing authentication mode in use. + Specifically, it manages the component that responds to login attempts. + The default is IntegratedOAuth. + type: string + webhookTokenAuthenticator: + description: |- + webhookTokenAuthenticator configures a remote token reviewer. + These remote authentication webhooks can be used to verify bearer tokens + via the tokenreviews.authentication.k8s.io REST API. This is required to + honor bearer tokens that are provisioned by an external authentication service. + + Can only be set if "Type" is set to "None". + properties: + kubeConfig: + description: |- + kubeConfig references a secret that contains kube config file data which + describes how to access the remote webhook service. + The namespace for the referenced secret is openshift-config. + + For further details, see: + + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + properties: + name: + description: name is the metadata.name of the referenced secret + type: string + required: + - name + type: object + required: + - kubeConfig + type: object + webhookTokenAuthenticators: + description: webhookTokenAuthenticators is DEPRECATED, setting it + has no effect. + items: + description: |- + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. + properties: + kubeConfig: + description: |- + kubeConfig contains kube config file data which describes how to access the remote webhook service. + For further details, see: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication + The key "kubeConfig" is used to locate the data. + If the secret or expected key is not found, the webhook is not honored. + If the specified kube config data is not valid, the webhook is not honored. + The namespace for this secret is determined by the point of use. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + properties: + integratedOAuthMetadata: + description: |- + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 + Authorization Server Metadata for the in-cluster integrated OAuth server. + This discovery document can be viewed from its served location: + oc get --raw '/.well-known/oauth-authorization-server' + For further details, see the IETF Draft: + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 + This contains the observed value based on cluster state. + An explicitly set value in spec.oauthMetadata has precedence over this field. + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. + The key "oauthMetadata" is used to locate the data. + If the config map or expected key is not found, no metadata is served. + If the specified metadata is not valid, no metadata is served. + The namespace for this config map is openshift-config-managed. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index f386a811257..b0d3f59db0d 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -388,6 +388,28 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { return map_AuthenticationStatus } +var map_ClientCredentialConfig = map[string]string{ + "": "ClientCredentialConfig configures the client credentials and token endpoint to use to get an access token via the OAuth2 client credentials grant flow.", + "clientID": "clientID is a required client identifier to use during the OAuth2 client credentials flow. clientID must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + "clientSecret": "clientSecret is a required reference to a Secret in the openshift-config namespace to be used as the client secret during the OAuth2 client credentials flow.\n\nThe key 'client-secret' is used to locate the client secret data in the Secret.", + "tokenEndpoint": "tokenEndpoint is a required URL to query for an access token using the client credential OAuth2 flow. tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. tokenEndpoint must be a valid HTTPS URL. tokenEndpoint must have a host and a path. tokenEndpoint must not contain query parameters, fragments, or user information (e.g., \"user:password@host\").", + "scopes": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. Entries must be unique.", + "tls": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.\n\nWhen omitted, system default TLS settings will be used for the OAuth2 client.", +} + +func (ClientCredentialConfig) SwaggerDoc() map[string]string { + return map_ClientCredentialConfig +} + +var map_ClientSecretSecretReference = map[string]string{ + "": "ClientSecretSecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the client secret to be used when sourcing claims from external sources with the client credential authentication flow.", + "name": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ClientSecretSecretReference) SwaggerDoc() map[string]string { + return map_ClientSecretSecretReference +} + var map_DeprecatedWebhookTokenAuthenticator = map[string]string{ "": "deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.", "kubeConfig": "kubeConfig contains kube config file data which describes how to access the remote webhook service. For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication The key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored. The namespace for this secret is determined by the point of use.", @@ -397,6 +419,56 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExternalClaimsSource = map[string]string{ + "": "ExternalClaimsSource provides the configuration for a single external claim source.", + "authentication": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used.", + "tls": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.\n\nWhen omitted, system default TLS settings will be used for fetching claims from the external source.", + "url": "url is a required configuration of the URL for which the external claims are located.", + "mappings": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + "predicates": "predicates is an optional list of constraints in which claims should attempt to be fetched from this external source.\n\nWhen omitted or empty, claims are always attempted to be fetched from this external source.\n\nWhen specified, all predicates must evaluate to 'true' before claims are attempted to be fetched from this external source.\n\npredicates must not exceed 16 entries. Entries must have unique expressions.", +} + +func (ExternalClaimsSource) SwaggerDoc() map[string]string { + return map_ExternalClaimsSource +} + +var map_ExternalSourceAuthentication = map[string]string{ + "": "ExternalSourceAuthentication configures how the apiserver should attempt to authenticate with an external claims source.", + "type": "type is a required field that sets the type of authentication method used by the authenticator when fetching external claims.\n\nAllowed values are 'RequestProvidedToken' and 'ClientCredential'.\n\nWhen set to 'RequestProvidedToken', the authenticator will use the token provided to the kube-apiserver as part of the request to authenticate with the external claims source.\n\nWhen set to 'ClientCredential', the authenticator will use the configured client-id, client-secret, and token endpoint to fetch an access token using the OAuth2 client credentials grant flow. The fetched access token will then be used to authenticate with the external claims source.", + "clientCredential": "clientCredential configures the client credentials and token endpoint to use to get an access token. clientCredential is required when type is 'ClientCredential', and forbidden otherwise.", +} + +func (ExternalSourceAuthentication) SwaggerDoc() map[string]string { + return map_ExternalSourceAuthentication +} + +var map_ExternalSourceCertificateAuthorityConfigMapReference = map[string]string{ + "": "CertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + "name": "name is the required name of the ConfigMap that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ExternalSourceCertificateAuthorityConfigMapReference) SwaggerDoc() map[string]string { + return map_ExternalSourceCertificateAuthorityConfigMapReference +} + +var map_ExternalSourcePredicate = map[string]string{ + "": "ExternalSourcePredicate configures a singular condition that must return true before the external source is queried to retrieve external claims.", + "expression": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (ExternalSourcePredicate) SwaggerDoc() map[string]string { + return map_ExternalSourcePredicate +} + +var map_ExternalSourceTLS = map[string]string{ + "": "ExternalSourceTLS configures the TLS options that the apiserver uses as a client when making a request to the external claim source.", + "certificateAuthority": "certificateAuthority is a required reference to a ConfigMap in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source.", +} + +func (ExternalSourceTLS) SwaggerDoc() map[string]string { + return map_ExternalSourceTLS +} + var map_ExtraMapping = map[string]string{ "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", @@ -445,12 +517,13 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", - "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", - "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", - "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", - "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", - "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "externalClaimsSources": "externalClaimsSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -466,6 +539,26 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { return map_PrefixedClaimMapping } +var map_SourceURL = map[string]string{ + "": "SourceURL configures the options used to build the URL that is queried for external claims.", + "hostname": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname must be at least 1 character in length and must not exceed 253 characters in length. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.", + "pathExpression": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.\n\nValues in the returned list will be joined with the hostname using a forward slash (`/`) as a separator. Values in the returned list do not need to include the forward slash.", +} + +func (SourceURL) SwaggerDoc() map[string]string { + return map_SourceURL +} + +var map_SourcedClaimMapping = map[string]string{ + "": "SourcedClaimMapping configures the mapping behavior for a single external claim from the response the apiserver received from the external claim source.", + "name": "name is a required name of the claim that will be produced and made available during the claim-to-identity mapping process. name must consist of only lowercase alpha characters and underscores ('_'). name must be at least 1 character and must not exceed 256 characters in length.", + "expression": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response` variable. expression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (SourcedClaimMapping) SwaggerDoc() map[string]string { + return map_SourcedClaimMapping +} + var map_TokenClaimMapping = map[string]string{ "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated. claim must not exceed 256 characters in length. When set to the empty string `\"\"`, this means that no named claim should be used for the group mapping. claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 97db1d8936f..915a38846c4 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -196,6 +196,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.BuildSpec": schema_openshift_api_config_v1_BuildSpec(ref), "github.com/openshift/api/config/v1.CertInfo": schema_openshift_api_config_v1_CertInfo(ref), "github.com/openshift/api/config/v1.ClientConnectionOverrides": schema_openshift_api_config_v1_ClientConnectionOverrides(ref), + "github.com/openshift/api/config/v1.ClientCredentialConfig": schema_openshift_api_config_v1_ClientCredentialConfig(ref), + "github.com/openshift/api/config/v1.ClientSecretSecretReference": schema_openshift_api_config_v1_ClientSecretSecretReference(ref), "github.com/openshift/api/config/v1.CloudControllerManagerStatus": schema_openshift_api_config_v1_CloudControllerManagerStatus(ref), "github.com/openshift/api/config/v1.CloudLoadBalancerConfig": schema_openshift_api_config_v1_CloudLoadBalancerConfig(ref), "github.com/openshift/api/config/v1.CloudLoadBalancerIPs": schema_openshift_api_config_v1_CloudLoadBalancerIPs(ref), @@ -244,10 +246,15 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.EquinixMetalPlatformStatus": schema_openshift_api_config_v1_EquinixMetalPlatformStatus(ref), "github.com/openshift/api/config/v1.EtcdConnectionInfo": schema_openshift_api_config_v1_EtcdConnectionInfo(ref), "github.com/openshift/api/config/v1.EtcdStorageConfig": schema_openshift_api_config_v1_EtcdStorageConfig(ref), + "github.com/openshift/api/config/v1.ExternalClaimsSource": schema_openshift_api_config_v1_ExternalClaimsSource(ref), "github.com/openshift/api/config/v1.ExternalIPConfig": schema_openshift_api_config_v1_ExternalIPConfig(ref), "github.com/openshift/api/config/v1.ExternalIPPolicy": schema_openshift_api_config_v1_ExternalIPPolicy(ref), "github.com/openshift/api/config/v1.ExternalPlatformSpec": schema_openshift_api_config_v1_ExternalPlatformSpec(ref), "github.com/openshift/api/config/v1.ExternalPlatformStatus": schema_openshift_api_config_v1_ExternalPlatformStatus(ref), + "github.com/openshift/api/config/v1.ExternalSourceAuthentication": schema_openshift_api_config_v1_ExternalSourceAuthentication(ref), + "github.com/openshift/api/config/v1.ExternalSourceCertificateAuthorityConfigMapReference": schema_openshift_api_config_v1_ExternalSourceCertificateAuthorityConfigMapReference(ref), + "github.com/openshift/api/config/v1.ExternalSourcePredicate": schema_openshift_api_config_v1_ExternalSourcePredicate(ref), + "github.com/openshift/api/config/v1.ExternalSourceTLS": schema_openshift_api_config_v1_ExternalSourceTLS(ref), "github.com/openshift/api/config/v1.ExtraMapping": schema_openshift_api_config_v1_ExtraMapping(ref), "github.com/openshift/api/config/v1.FeatureGate": schema_openshift_api_config_v1_FeatureGate(ref), "github.com/openshift/api/config/v1.FeatureGateAttributes": schema_openshift_api_config_v1_FeatureGateAttributes(ref), @@ -413,6 +420,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.SecretNameReference": schema_openshift_api_config_v1_SecretNameReference(ref), "github.com/openshift/api/config/v1.ServingInfo": schema_openshift_api_config_v1_ServingInfo(ref), "github.com/openshift/api/config/v1.SignatureStore": schema_openshift_api_config_v1_SignatureStore(ref), + "github.com/openshift/api/config/v1.SourceURL": schema_openshift_api_config_v1_SourceURL(ref), + "github.com/openshift/api/config/v1.SourcedClaimMapping": schema_openshift_api_config_v1_SourcedClaimMapping(ref), "github.com/openshift/api/config/v1.Storage": schema_openshift_api_config_v1_Storage(ref), "github.com/openshift/api/config/v1.StringSource": schema_openshift_api_config_v1_StringSource(ref), "github.com/openshift/api/config/v1.StringSourceSpec": schema_openshift_api_config_v1_StringSourceSpec(ref), @@ -10724,6 +10733,91 @@ func schema_openshift_api_config_v1_ClientConnectionOverrides(ref common.Referen } } +func schema_openshift_api_config_v1_ClientCredentialConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClientCredentialConfig configures the client credentials and token endpoint to use to get an access token via the OAuth2 client credentials grant flow.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "clientID": { + SchemaProps: spec.SchemaProps{ + Description: "clientID is a required client identifier to use during the OAuth2 client credentials flow. clientID must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "clientSecret": { + SchemaProps: spec.SchemaProps{ + Description: "clientSecret is a required reference to a Secret in the openshift-config namespace to be used as the client secret during the OAuth2 client credentials flow.\n\nThe key 'client-secret' is used to locate the client secret data in the Secret.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClientSecretSecretReference"), + }, + }, + "tokenEndpoint": { + SchemaProps: spec.SchemaProps{ + Description: "tokenEndpoint is a required URL to query for an access token using the client credential OAuth2 flow. tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. tokenEndpoint must be a valid HTTPS URL. tokenEndpoint must have a host and a path. tokenEndpoint must not contain query parameters, fragments, or user information (e.g., \"user:password@host\").", + Type: []string{"string"}, + Format: "", + }, + }, + "scopes": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. Entries must be unique.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.\n\nWhen omitted, system default TLS settings will be used for the OAuth2 client.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalSourceTLS"), + }, + }, + }, + Required: []string{"clientID", "clientSecret", "tokenEndpoint"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClientSecretSecretReference", "github.com/openshift/api/config/v1.ExternalSourceTLS"}, + } +} + +func schema_openshift_api_config_v1_ClientSecretSecretReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClientSecretSecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the client secret to be used when sourcing claims from external sources with the client credential authentication flow.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + func schema_openshift_api_config_v1_CloudControllerManagerStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -12933,6 +13027,87 @@ func schema_openshift_api_config_v1_EtcdStorageConfig(ref common.ReferenceCallba } } +func schema_openshift_api_config_v1_ExternalClaimsSource(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ExternalClaimsSource provides the configuration for a single external claim source.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "authentication": { + SchemaProps: spec.SchemaProps{ + Description: "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalSourceAuthentication"), + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.\n\nWhen omitted, system default TLS settings will be used for fetching claims from the external source.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalSourceTLS"), + }, + }, + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url is a required configuration of the URL for which the external claims are located.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.SourceURL"), + }, + }, + "mappings": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.SourcedClaimMapping"), + }, + }, + }, + }, + }, + "predicates": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "expression", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "predicates is an optional list of constraints in which claims should attempt to be fetched from this external source.\n\nWhen omitted or empty, claims are always attempted to be fetched from this external source.\n\nWhen specified, all predicates must evaluate to 'true' before claims are attempted to be fetched from this external source.\n\npredicates must not exceed 16 entries. Entries must have unique expressions.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalSourcePredicate"), + }, + }, + }, + }, + }, + }, + Required: []string{"url", "mappings"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ExternalSourceAuthentication", "github.com/openshift/api/config/v1.ExternalSourcePredicate", "github.com/openshift/api/config/v1.ExternalSourceTLS", "github.com/openshift/api/config/v1.SourceURL", "github.com/openshift/api/config/v1.SourcedClaimMapping"}, + } +} + func schema_openshift_api_config_v1_ExternalIPConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -13070,6 +13245,102 @@ func schema_openshift_api_config_v1_ExternalPlatformStatus(ref common.ReferenceC } } +func schema_openshift_api_config_v1_ExternalSourceAuthentication(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ExternalSourceAuthentication configures how the apiserver should attempt to authenticate with an external claims source.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is a required field that sets the type of authentication method used by the authenticator when fetching external claims.\n\nAllowed values are 'RequestProvidedToken' and 'ClientCredential'.\n\nWhen set to 'RequestProvidedToken', the authenticator will use the token provided to the kube-apiserver as part of the request to authenticate with the external claims source.\n\nWhen set to 'ClientCredential', the authenticator will use the configured client-id, client-secret, and token endpoint to fetch an access token using the OAuth2 client credentials grant flow. The fetched access token will then be used to authenticate with the external claims source.\n\n\nPossible enum values:\n - `\"ClientCredential\"` is an ExternalSourceAuthenticationType that represents that the authenticator should use the OAuth2 client credentials grant flow to obtain an access token for authenticating with the external claims source. This is useful for scenarios such as fetching user information from Microsoft's Graph API where a separate client credential is needed to access the API.\n - `\"RequestProvidedToken\"` is an ExternalSourceAuthenticationType that represents that the token being evaluated for authentication should be used for authenticating with the external claims source. This is useful for scenarios where a token has multiple audiences and scopes so that it can be used to access both the cluster and the UserInfo endpoint that contains additional information about the user not present in the token.", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"ClientCredential", "RequestProvidedToken"}, + }, + }, + "clientCredential": { + SchemaProps: spec.SchemaProps{ + Description: "clientCredential configures the client credentials and token endpoint to use to get an access token. clientCredential is required when type is 'ClientCredential', and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ClientCredentialConfig"), + }, + }, + }, + Required: []string{"type"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ClientCredentialConfig"}, + } +} + +func schema_openshift_api_config_v1_ExternalSourceCertificateAuthorityConfigMapReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the required name of the ConfigMap that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_ExternalSourcePredicate(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ExternalSourcePredicate configures a singular condition that must return true before the external source is queried to retrieve external claims.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"expression"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_ExternalSourceTLS(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ExternalSourceTLS configures the TLS options that the apiserver uses as a client when making a request to the external claim source.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthority": { + SchemaProps: spec.SchemaProps{ + Description: "certificateAuthority is a required reference to a ConfigMap in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalSourceCertificateAuthorityConfigMapReference"), + }, + }, + }, + Required: []string{"certificateAuthority"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ExternalSourceCertificateAuthorityConfigMapReference"}, + } +} + func schema_openshift_api_config_v1_ExtraMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -18203,12 +18474,31 @@ func schema_openshift_api_config_v1_OIDCProvider(ref common.ReferenceCallback) c }, }, }, + "externalClaimsSources": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "externalClaimsSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ExternalClaimsSource"), + }, + }, + }, + }, + }, }, Required: []string{"name", "issuer", "claimMappings"}, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer", "github.com/openshift/api/config/v1.TokenUserValidationRule"}, + "github.com/openshift/api/config/v1.ExternalClaimsSource", "github.com/openshift/api/config/v1.OIDCClientConfig", "github.com/openshift/api/config/v1.TokenClaimMappings", "github.com/openshift/api/config/v1.TokenClaimValidationRule", "github.com/openshift/api/config/v1.TokenIssuer", "github.com/openshift/api/config/v1.TokenUserValidationRule"}, } } @@ -20787,6 +21077,62 @@ func schema_openshift_api_config_v1_SignatureStore(ref common.ReferenceCallback) } } +func schema_openshift_api_config_v1_SourceURL(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SourceURL configures the options used to build the URL that is queried for external claims.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "hostname": { + SchemaProps: spec.SchemaProps{ + Description: "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname must be at least 1 character in length and must not exceed 253 characters in length. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.", + Type: []string{"string"}, + Format: "", + }, + }, + "pathExpression": { + SchemaProps: spec.SchemaProps{ + Description: "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.\n\nValues in the returned list will be joined with the hostname using a forward slash (`/`) as a separator. Values in the returned list do not need to include the forward slash.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"hostname", "pathExpression"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_SourcedClaimMapping(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SourcedClaimMapping configures the mapping behavior for a single external claim from the response the apiserver received from the external claim source.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is a required name of the claim that will be produced and made available during the claim-to-identity mapping process. name must consist of only lowercase alpha characters and underscores ('_'). name must be at least 1 character and must not exceed 256 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response` variable. expression must be at least 1 character and must not exceed 1024 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name", "expression"}, + }, + }, + } +} + func schema_openshift_api_config_v1_Storage(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index c8511e062cf..3e496c093de 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -16858,6 +16858,42 @@ } } }, + "com.github.openshift.api.config.v1.ClientCredentialConfig": { + "description": "ClientCredentialConfig configures the client credentials and token endpoint to use to get an access token via the OAuth2 client credentials grant flow.", + "type": "object", + "required": [ + "clientID", + "clientSecret", + "tokenEndpoint" + ], + "properties": { + "clientID": { + "description": "clientID is a required client identifier to use during the OAuth2 client credentials flow. clientID must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + "type": "string" + }, + "clientSecret": { + "description": "clientSecret is the client secret to use during the OAuth2 client credentials flow. clientSecret must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + "type": "string" + }, + "scopes": { + "description": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes (\") and backslashes (\\).", + "type": "array", + "items": { + "type": "string", + "default": "" + } + }, + "tls": { + "description": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceTLS" + }, + "tokenEndpoint": { + "description": "tokenEndpoint is a required URL to query for an access token using the client credential OAuth2 flow. tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. tokenEndpoint must be a valid HTTPS URL. tokenEndpoint must have a host and a path. tokenEndpoint must not contain query parameters, fragments, or user information (e.g., \"user:password@host\").", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.CloudControllerManagerStatus": { "description": "CloudControllerManagerStatus holds the state of Cloud Controller Manager (a.k.a. CCM or CPI) related settings", "type": "object", @@ -18134,6 +18170,55 @@ } } }, + "com.github.openshift.api.config.v1.ExternalClaimsSource": { + "description": "ExternalClaimsSource provides the configuration for a single external claim source.", + "type": "object", + "required": [ + "url", + "mappings" + ], + "properties": { + "authentication": { + "description": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceAuthentication" + }, + "conditions": { + "description": "conditions is an optional list of conditions in which claims should attempt to be fetched from this external source.\n\nWhen omitted or empty, claims are always attempted to be fetched from this external source.\n\nWhen specified, all conditions must evaluate to 'true' before claims are attempted to be fetched from this external source.\n\nconditions must not exceed 16 entries. Entries must have unique expressions.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceCondition" + }, + "x-kubernetes-list-map-keys": [ + "expression" + ], + "x-kubernetes-list-type": "map" + }, + "mappings": { + "description": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.SourcedClaimMapping" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, + "tls": { + "description": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceTLS" + }, + "url": { + "description": "url is a required configuration of the URL for which the external claims are located.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.SourceURL" + } + } + }, "com.github.openshift.api.config.v1.ExternalIPConfig": { "description": "ExternalIPConfig specifies some IP blocks relevant for the ExternalIP field of a Service resource.", "type": "object", @@ -18199,6 +18284,68 @@ } } }, + "com.github.openshift.api.config.v1.ExternalSourceAuthentication": { + "description": "ExternalSourceAuthentication configures how the apiserver should attempt to authenticate with an external claims source.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "clientCredential": { + "description": "clientCredential configures the client credentials and token endpoint to use to get an access token. clientCredential is required when type is 'ClientCredential', and forbidden otherwise.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ClientCredentialConfig" + }, + "type": { + "description": "type is a required field that sets the type of authentication method used by the authenticator when fetching external claims.\n\nAllowed values are 'RequestProvidedToken' and 'ClientCredential'.\n\nWhen set to 'RequestProvidedToken', the authenticator will use the token provided to the kube-apiserver as part of the request to authenticate with the external claims source.\n\nWhen set to 'ClientCredential', the authenticator will use the configured client-id, client-secret, and token endpoint to fetch an access token using the OAuth2 client credentials grant flow. The fetched access token will then be used to authenticate with the external claims source.\n\n\nPossible enum values:\n - `\"ClientCredential\"` is an ExternalSourceAuthenticationType that represents that the authenticator should use the OAuth2 client credentials grant flow to obtain an access token for authenticating with the external claims source. This is useful for scenarios such as fetching user information from Microsoft's Graph API where a separate client credential is needed to access the API.\n - `\"RequestProvidedToken\"` is an ExternalSourceAuthenticationType that represents that the token being evaluated for authentication should be used for authenticating with the external claims source. This is useful for scenarios where a token has multiple audiences and scopes so that it can be used to access both the cluster and the UserInfo endpoint that contains additional information about the user not present in the token.", + "type": "string", + "enum": [ + "ClientCredential", + "RequestProvidedToken" + ] + } + } + }, + "com.github.openshift.api.config.v1.ExternalSourceCertificateAuthoritySecretReference": { + "description": "CertificateAuthoritySecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1.ExternalSourceCondition": { + "description": "ExternalSourceCondition configures a singular condition that must return true before the external source is queried to retrieve external claims.", + "type": "object", + "required": [ + "expression" + ], + "properties": { + "expression": { + "description": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1.ExternalSourceTLS": { + "description": "ExternalSourceTLS configures the TLS options that the apiserver uses as a client when making a request to the external claim source.", + "type": "object", + "required": [ + "certificateAuthority" + ], + "properties": { + "certificateAuthority": { + "description": "certificateAuthority is a required reference to a secret in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalSourceCertificateAuthoritySecretReference" + } + } + }, "com.github.openshift.api.config.v1.ExtraMapping": { "description": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "type": "object", @@ -21203,6 +21350,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "externalClaimsSources": { + "description": "externalClaimSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ExternalClaimsSource" + }, + "x-kubernetes-list-type": "atomic" + }, "issuer": { "description": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", "default": {}, @@ -22742,6 +22898,42 @@ } } }, + "com.github.openshift.api.config.v1.SourceURL": { + "description": "SourceURL configures the options used to build the URL that is queried for external claims.", + "type": "object", + "required": [ + "hostname", + "pathExpression" + ], + "properties": { + "hostname": { + "description": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname must be at least 1 character in length and must not exceed 253 characters in length. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.", + "type": "string" + }, + "pathExpression": { + "description": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1.SourcedClaimMapping": { + "description": "SourcedClaimMapping configures the mapping behavior for a single external claim from the response the apiserver received from the external claim source.", + "type": "object", + "required": [ + "name", + "expression" + ], + "properties": { + "expression": { + "description": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response` variable. expression must be at least 1 character and must not exceed 1024 characters in length.", + "type": "string" + }, + "name": { + "description": "name is a required name of the claim that will be produced and made available during the claim-to-identity mapping process. name must consist of only lowercase alpha characters and underscores ('_'). name must be at least 1 character and must not exceed 256 characters in length.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.Storage": { "description": "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index cd737e2727f..b4a8fc2d23b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -446,6 +446,386 @@ spec: ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic + externalClaimsSources: + description: |- + externalClaimsSources is an optional field that can be used to configure + sources, external to the token provided in a request, in which claims + should be fetched from and made available to the claim mapping process + that is used to build the identity of a token holder. + + For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + + When not specified, only claims present in the token itself will be available + in the claim mapping process. + + When specified, at least one external claim source must be specified and no more than 5 + sources may be specified. + items: + description: ExternalClaimsSource provides the configuration + for a single external claim source. + properties: + authentication: + description: |- + authentication is an optional field that configures how the apiserver authenticates with an external claims source. + When not specified, anonymous authentication is used. + properties: + clientCredential: + description: |- + clientCredential configures the client credentials + and token endpoint to use to get an access token. + clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + properties: + clientID: + description: |- + clientID is a required client identifier to use during the OAuth2 client credentials flow. + clientID must be at least 1 character in length, must not exceed 256 characters in length, + and must only contain printable ASCII characters. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: clientID must only contain printable + ASCII characters + rule: self.matches('^[[:print:]]+$') + clientSecret: + description: |- + clientSecret is a required reference to a Secret in the openshift-config namespace to be used + as the client secret during the OAuth2 client credentials flow. + + The key 'client-secret' is used to locate the client secret data in the Secret. + properties: + name: + description: |- + name is the required name of the Secret that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a + lowercase alphanumeric character, and + must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + scopes: + description: |- + scopes is an optional list of OAuth2 scopes to request when obtaining + an access token. + + If not specified, the token endpoint's default scopes + will be used. + + When specified, there must be at least 1 entry and must not exceed 16 entries. + Each entry must be at least 1 character in length and must not exceed 256 characters in length. + Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + Entries must be unique. + items: + description: OAuth2Scope is a string alias that + represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: scopes must only contain printable + ASCII characters excluding spaces, double + quotes and backslashes + rule: self.matches('^[!#-[\\]-~]+$') + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: set + tls: + description: |- + tls is an optional field that allows configuring the TLS + settings used to interact with the identity provider + as an OAuth2 client. + + When omitted, system default TLS settings will be used + for the OAuth2 client. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with + a lowercase alphanumeric character, + and must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + tokenEndpoint: + description: |- + tokenEndpoint is a required URL to query for an access token using + the client credential OAuth2 flow. + tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + tokenEndpoint must be a valid HTTPS URL. + tokenEndpoint must have a host and a path. + tokenEndpoint must not contain query parameters, fragments, + or user information (e.g., "user:password@host"). + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) && url(self).getScheme() == + 'https' + - message: tokenEndpoint must have a hostname + rule: isURL(self) && url(self).getHost() != + '' + - message: tokenEndpoint must have a path + rule: isURL(self) && url(self).getEscapedPath() + != '' + - message: tokenEndpoint must not have query parameters + rule: isURL(self) && url(self).getQuery() == + {} + - message: tokenEndpoint must not have a fragment + rule: self.find('#(.+)$') == '' + - message: tokenEndpoint must not have user info + rule: self.find('@') == '' + required: + - clientID + - clientSecret + - tokenEndpoint + type: object + type: + description: |- + type is a required field that sets the type of + authentication method used by the authenticator + when fetching external claims. + + Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + + When set to 'RequestProvidedToken', the authenticator will + use the token provided to the kube-apiserver as part of the + request to authenticate with the external claims source. + + When set to 'ClientCredential', the authenticator will + use the configured client-id, client-secret, and token endpoint + to fetch an access token using the OAuth2 client credentials grant + flow. The fetched access token will then be used to authenticate + with the external claims source. + enum: + - RequestProvidedToken + - ClientCredential + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: clientCredential is required when type is ClientCredential, + and forbidden otherwise + rule: 'self.type == ''ClientCredential'' ? has(self.clientCredential) + : !has(self.clientCredential)' + mappings: + description: |- + mappings is a required list of the claim + and response handling expression pairs + that produces the claims from the external source. + mappings must have at least 1 entry and must not exceed 16 entries. + Entries must have a unique name across all external claim sources. + items: + description: |- + SourcedClaimMapping configures the mapping behavior for a single external claim + from the response the apiserver received from the external claim source. + properties: + expression: + description: |- + expression is a required CEL expression that + will produce a value to be assigned to the claim. + The full response body from the request to the + external claim source is provided via the + `response` variable. + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + name: + description: |- + name is a required name of the claim that + will be produced and made available during + the claim-to-identity mapping process. + name must consist of only lowercase alpha characters and underscores ('_'). + name must be at least 1 character and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist of only lowercase alpha + characters and underscores + rule: self.matches('^[a-z_]+$') + required: + - expression + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + predicates: + description: |- + predicates is an optional list of constraints in + which claims should attempt to be fetched from this + external source. + + When omitted or empty, claims are always attempted to be fetched + from this external source. + + When specified, all predicates must evaluate to 'true' + before claims are attempted to be fetched from this external source. + + predicates must not exceed 16 entries. + Entries must have unique expressions. + items: + description: |- + ExternalSourcePredicate configures a singular condition + that must return true before the external source is queried + to retrieve external claims. + properties: + expression: + description: |- + expression is a required CEL expression that + is used to determine whether or not an external + source should be used to fetch external claims. + + The expression must return a boolean value, + where true means that the source should be consulted + and false means that it should not. + + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + required: + - expression + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + tls: + description: |- + tls is an optional field that configures the http client TLS + settings when fetching external claims from this source. + + When omitted, system default TLS settings will be used + for fetching claims from the external source. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a lowercase + alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or + '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + url: + description: |- + url is a required configuration of the URL + for which the external claims are located. + properties: + hostname: + description: |- + hostname is a required hostname for which the external claims are located. + + It must be a valid DNS subdomain name as per RFC1123. + + This means that it must start and end with a lowercase alphanumeric character, + must only consist of lowercase alphanumeric characters, '-', and '.'. + hostname must be at least 1 character in length and must not exceed 253 characters in length. + hostname may optionally specify a port in the format ':{port}'. + If a port is specified it must not exceed 65535. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: hostname must be a valid hostname + rule: isURL('https://'+self) + - message: hostname before port must start and end + with a lowercase alphanumeric character, and must + only contain lowercase alphanumeric characters, + '-' or '.' + rule: '!format.dns1123Subdomain().validate(self.split('':'')[0]).hasValue()' + - message: port must not exceed 65535 + rule: 'self.split('':'').size() > 1 ? int(self.split('':'')[1]) + <= 65535 : true' + pathExpression: + description: |- + pathExpression is a required CEL expression that returns a list + of string values used to construct the URL path. + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + expression must be at least 1 character in length and must not exceed 1024 characters in length. + + Values in the returned list will be joined with the hostname using a forward slash + (`/`) as a separator. Values in the returned list do not need to include the forward slash. + maxLength: 1024 + minLength: 1 + type: string + required: + - hostname + - pathExpression + type: object + required: + - mappings + - url + type: object + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: atomic issuer: description: issuer is a required field that configures how the platform interacts with the identity provider and how diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index bf116984ffd..90f737f2737 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -446,6 +446,386 @@ spec: ? has(self.requiredClaim) : !has(self.requiredClaim)' type: array x-kubernetes-list-type: atomic + externalClaimsSources: + description: |- + externalClaimsSources is an optional field that can be used to configure + sources, external to the token provided in a request, in which claims + should be fetched from and made available to the claim mapping process + that is used to build the identity of a token holder. + + For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + + When not specified, only claims present in the token itself will be available + in the claim mapping process. + + When specified, at least one external claim source must be specified and no more than 5 + sources may be specified. + items: + description: ExternalClaimsSource provides the configuration + for a single external claim source. + properties: + authentication: + description: |- + authentication is an optional field that configures how the apiserver authenticates with an external claims source. + When not specified, anonymous authentication is used. + properties: + clientCredential: + description: |- + clientCredential configures the client credentials + and token endpoint to use to get an access token. + clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + properties: + clientID: + description: |- + clientID is a required client identifier to use during the OAuth2 client credentials flow. + clientID must be at least 1 character in length, must not exceed 256 characters in length, + and must only contain printable ASCII characters. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: clientID must only contain printable + ASCII characters + rule: self.matches('^[[:print:]]+$') + clientSecret: + description: |- + clientSecret is a required reference to a Secret in the openshift-config namespace to be used + as the client secret during the OAuth2 client credentials flow. + + The key 'client-secret' is used to locate the client secret data in the Secret. + properties: + name: + description: |- + name is the required name of the Secret that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a + lowercase alphanumeric character, and + must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + scopes: + description: |- + scopes is an optional list of OAuth2 scopes to request when obtaining + an access token. + + If not specified, the token endpoint's default scopes + will be used. + + When specified, there must be at least 1 entry and must not exceed 16 entries. + Each entry must be at least 1 character in length and must not exceed 256 characters in length. + Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + Entries must be unique. + items: + description: OAuth2Scope is a string alias that + represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: scopes must only contain printable + ASCII characters excluding spaces, double + quotes and backslashes + rule: self.matches('^[!#-[\\]-~]+$') + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: set + tls: + description: |- + tls is an optional field that allows configuring the TLS + settings used to interact with the identity provider + as an OAuth2 client. + + When omitted, system default TLS settings will be used + for the OAuth2 client. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with + a lowercase alphanumeric character, + and must only contain lowercase alphanumeric + characters, '-' or '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + tokenEndpoint: + description: |- + tokenEndpoint is a required URL to query for an access token using + the client credential OAuth2 flow. + tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + tokenEndpoint must be a valid HTTPS URL. + tokenEndpoint must have a host and a path. + tokenEndpoint must not contain query parameters, fragments, + or user information (e.g., "user:password@host"). + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) + - message: tokenEndpoint must be a valid HTTPS + url + rule: isURL(self) && url(self).getScheme() == + 'https' + - message: tokenEndpoint must have a hostname + rule: isURL(self) && url(self).getHost() != + '' + - message: tokenEndpoint must have a path + rule: isURL(self) && url(self).getEscapedPath() + != '' + - message: tokenEndpoint must not have query parameters + rule: isURL(self) && url(self).getQuery() == + {} + - message: tokenEndpoint must not have a fragment + rule: self.find('#(.+)$') == '' + - message: tokenEndpoint must not have user info + rule: self.find('@') == '' + required: + - clientID + - clientSecret + - tokenEndpoint + type: object + type: + description: |- + type is a required field that sets the type of + authentication method used by the authenticator + when fetching external claims. + + Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + + When set to 'RequestProvidedToken', the authenticator will + use the token provided to the kube-apiserver as part of the + request to authenticate with the external claims source. + + When set to 'ClientCredential', the authenticator will + use the configured client-id, client-secret, and token endpoint + to fetch an access token using the OAuth2 client credentials grant + flow. The fetched access token will then be used to authenticate + with the external claims source. + enum: + - RequestProvidedToken + - ClientCredential + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: clientCredential is required when type is ClientCredential, + and forbidden otherwise + rule: 'self.type == ''ClientCredential'' ? has(self.clientCredential) + : !has(self.clientCredential)' + mappings: + description: |- + mappings is a required list of the claim + and response handling expression pairs + that produces the claims from the external source. + mappings must have at least 1 entry and must not exceed 16 entries. + Entries must have a unique name across all external claim sources. + items: + description: |- + SourcedClaimMapping configures the mapping behavior for a single external claim + from the response the apiserver received from the external claim source. + properties: + expression: + description: |- + expression is a required CEL expression that + will produce a value to be assigned to the claim. + The full response body from the request to the + external claim source is provided via the + `response` variable. + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + name: + description: |- + name is a required name of the claim that + will be produced and made available during + the claim-to-identity mapping process. + name must consist of only lowercase alpha characters and underscores ('_'). + name must be at least 1 character and must not exceed 256 characters in length. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must consist of only lowercase alpha + characters and underscores + rule: self.matches('^[a-z_]+$') + required: + - expression + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + predicates: + description: |- + predicates is an optional list of constraints in + which claims should attempt to be fetched from this + external source. + + When omitted or empty, claims are always attempted to be fetched + from this external source. + + When specified, all predicates must evaluate to 'true' + before claims are attempted to be fetched from this external source. + + predicates must not exceed 16 entries. + Entries must have unique expressions. + items: + description: |- + ExternalSourcePredicate configures a singular condition + that must return true before the external source is queried + to retrieve external claims. + properties: + expression: + description: |- + expression is a required CEL expression that + is used to determine whether or not an external + source should be used to fetch external claims. + + The expression must return a boolean value, + where true means that the source should be consulted + and false means that it should not. + + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + + expression must be at least 1 character and must not exceed 1024 characters in length. + maxLength: 1024 + minLength: 1 + type: string + required: + - expression + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - expression + x-kubernetes-list-type: map + tls: + description: |- + tls is an optional field that configures the http client TLS + settings when fetching external claims from this source. + + When omitted, system default TLS settings will be used + for fetching claims from the external source. + properties: + certificateAuthority: + description: |- + certificateAuthority is a required reference to a ConfigMap in the openshift-config + namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + properties: + name: + description: |- + name is the required name of the ConfigMap that exists in the openshift-config namespace. + + It must be at least 1 character in length, must not exceed 253 characters in length, + must start and end with a lowercase alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or '.'. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must start and end with a lowercase + alphanumeric character, and must only contain + lowercase alphanumeric characters, '-' or + '.' + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - name + type: object + required: + - certificateAuthority + type: object + url: + description: |- + url is a required configuration of the URL + for which the external claims are located. + properties: + hostname: + description: |- + hostname is a required hostname for which the external claims are located. + + It must be a valid DNS subdomain name as per RFC1123. + + This means that it must start and end with a lowercase alphanumeric character, + must only consist of lowercase alphanumeric characters, '-', and '.'. + hostname must be at least 1 character in length and must not exceed 253 characters in length. + hostname may optionally specify a port in the format ':{port}'. + If a port is specified it must not exceed 65535. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: hostname must be a valid hostname + rule: isURL('https://'+self) + - message: hostname before port must start and end + with a lowercase alphanumeric character, and must + only contain lowercase alphanumeric characters, + '-' or '.' + rule: '!format.dns1123Subdomain().validate(self.split('':'')[0]).hasValue()' + - message: port must not exceed 65535 + rule: 'self.split('':'').size() > 1 ? int(self.split('':'')[1]) + <= 65535 : true' + pathExpression: + description: |- + pathExpression is a required CEL expression that returns a list + of string values used to construct the URL path. + Claims from the token used for the request to the kube-apiserver + are made available via the `claims` variable. + expression must be at least 1 character in length and must not exceed 1024 characters in length. + + Values in the returned list will be joined with the hostname using a forward slash + (`/`) as a separator. Values in the returned list do not need to include the forward slash. + maxLength: 1024 + minLength: 1 + type: string + required: + - hostname + - pathExpression + type: object + required: + - mappings + - url + type: object + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: atomic issuer: description: issuer is a required field that configures how the platform interacts with the identity provider and how