From 37585b3aaa945ff90815e2c91fac9818c41e7ff4 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 14 May 2026 15:48:36 +0100 Subject: [PATCH] Promote ExternalOIDCWithUpstreamParity to Default feature set Signed-off-by: Shaza Aldawamneh --- ...erator_01_authentications-Default.crd.yaml | 825 --------------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 960 ------------------ ...g-operator_01_authentications-OKD.crd.yaml | 825 --------------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 960 ------------------ ...nfig-operator_01_authentications.crd.yaml} | 1 - features.md | 2 +- features/features.go | 14 +- openapi/openapi.json | 29 +- ...erator_01_authentications-Default.crd.yaml | 825 --------------- ...thentications-DevPreviewNoUpgrade.crd.yaml | 960 ------------------ ...g-operator_01_authentications-OKD.crd.yaml | 825 --------------- ...hentications-TechPreviewNoUpgrade.crd.yaml | 960 ------------------ ...nfig-operator_01_authentications.crd.yaml} | 1 - .../featureGate-4-10-Hypershift-Default.yaml | 6 +- .../featureGate-4-10-Hypershift-OKD.yaml | 6 +- ...eatureGate-4-10-SelfManagedHA-Default.yaml | 6 +- .../featureGate-4-10-SelfManagedHA-OKD.yaml | 6 +- 17 files changed, 46 insertions(+), 7165 deletions(-) delete mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml delete mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml delete mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml delete mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml rename config/v1/zz_generated.crd-manifests/{0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml => 0000_10_config-operator_01_authentications.crd.yaml} (99%) delete mode 100644 payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml delete mode 100644 payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml delete mode 100644 payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml delete mode 100644 payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml rename payload-manifests/crds/{0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml => 0000_10_config-operator_01_authentications.crd.yaml} (99%) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml deleted file mode 100644 index 5e6be8db9f1..00000000000 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ /dev/null @@ -1,825 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: Default - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index bf116984ffd..00000000000 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,960 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - group values from JWT claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length . - - When specified, claim must not be set or be explicitly set to the empty string (`""`). - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: prefix must not be set to a non-empty value when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? (!has(self.prefix) || size(self.prefix) == 0) : - true' - - message: expression must not be set if claim is specified - and is not an empty string - rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) - : true' - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - the username from JWT claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length. - expression must not be set when claim is set. - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - - message: prefixPolicy must not be set to 'Prefix' when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? !has(self.prefixPolicy) || self.prefixPolicy != - ''Prefix'' : true' - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - cel: - description: |- - cel holds the CEL expression and message for validation. - Must be set when Type is "CEL", and forbidden otherwise. - properties: - expression: - description: |- - expression is a CEL expression evaluated against token claims. - expression is required, must be at least 1 character in length and must not exceed 1024 characters. - The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - - CEL - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: cel must be set when type is 'CEL', and forbidden - otherwise - rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) - : !has(self.cel)' - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - discoveryURL: - description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. - By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - - The discoveryURL must be a valid absolute HTTPS URL. - It must not contain query parameters, user information, or fragments. - Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). - The discoveryURL value must be at least 1 character long and no longer than 2048 characters. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: isURL(self) - - message: discoveryURL must be a valid https URL - rule: url(self).getScheme() == 'https' - - message: discoveryURL must not contain query parameters - rule: url(self).getQuery().size() == 0 - - message: discoveryURL must not contain fragments - rule: self.matches('^[^#]*$') - - message: discoveryURL must not contain user info - rule: '!self.matches(''^https://.+:.+@.+/.*$'')' - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - x-kubernetes-validations: - - message: discoveryURL must be different from issuerURL - rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() - == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) - : true' - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - userValidationRules: - description: |- - userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. - Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. - If any rule in the chain of rules evaluates to 'false', authentication will fail. - When specified, at least one rule must be specified and no more than 64 rules may be specified. - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - properties: - expression: - description: |- - expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. - - The expression must evaluate to a boolean value. - When the expression evaluates to 'true', the cluster user identity is considered valid. - When the expression evaluates to 'false', the cluster user identity is not considered valid. - expression must be at least 1 character in length and must not exceed 1024 characters. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - expression - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml deleted file mode 100644 index dcfe61e693b..00000000000 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ /dev/null @@ -1,825 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: OKD - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index de0dd293a85..00000000000 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,960 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - group values from JWT claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length . - - When specified, claim must not be set or be explicitly set to the empty string (`""`). - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: prefix must not be set to a non-empty value when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? (!has(self.prefix) || size(self.prefix) == 0) : - true' - - message: expression must not be set if claim is specified - and is not an empty string - rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) - : true' - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - the username from JWT claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length. - expression must not be set when claim is set. - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - - message: prefixPolicy must not be set to 'Prefix' when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? !has(self.prefixPolicy) || self.prefixPolicy != - ''Prefix'' : true' - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - cel: - description: |- - cel holds the CEL expression and message for validation. - Must be set when Type is "CEL", and forbidden otherwise. - properties: - expression: - description: |- - expression is a CEL expression evaluated against token claims. - expression is required, must be at least 1 character in length and must not exceed 1024 characters. - The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - - CEL - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: cel must be set when type is 'CEL', and forbidden - otherwise - rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) - : !has(self.cel)' - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - discoveryURL: - description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. - By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - - The discoveryURL must be a valid absolute HTTPS URL. - It must not contain query parameters, user information, or fragments. - Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). - The discoveryURL value must be at least 1 character long and no longer than 2048 characters. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: isURL(self) - - message: discoveryURL must be a valid https URL - rule: url(self).getScheme() == 'https' - - message: discoveryURL must not contain query parameters - rule: url(self).getQuery().size() == 0 - - message: discoveryURL must not contain fragments - rule: self.matches('^[^#]*$') - - message: discoveryURL must not contain user info - rule: '!self.matches(''^https://.+:.+@.+/.*$'')' - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - x-kubernetes-validations: - - message: discoveryURL must be different from issuerURL - rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() - == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) - : true' - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - userValidationRules: - description: |- - userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. - Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. - If any rule in the chain of rules evaluates to 'false', authentication will fail. - When specified, at least one rule must be specified and no more than 64 rules may be specified. - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - properties: - expression: - description: |- - expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. - - The expression must evaluate to a boolean value. - When the expression evaluates to 'true', the cluster user identity is considered valid. - When the expression evaluates to 'false', the cluster user identity is not considered valid. - expression must be at least 1 character in length and must not exceed 1024 characters. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - expression - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml similarity index 99% rename from config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml rename to config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml index cd737e2727f..cfad250f288 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml @@ -7,7 +7,6 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: authentications.config.openshift.io spec: group: config.openshift.io diff --git a/features.md b/features.md index 2741b537d92..6bf23536c49 100644 --- a/features.md +++ b/features.md @@ -56,7 +56,6 @@ | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | | | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | | | Enabled | Enabled | | Example| | | Enabled | Enabled | | | Enabled | Enabled | -| ExternalOIDCWithUpstreamParity| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | | | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | | | Enabled | Enabled | | GCPDualStackInstall| | | Enabled | Enabled | | | Enabled | Enabled | @@ -95,6 +94,7 @@ | EventTTL| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ExternalOIDCWithUpstreamParity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPIWithoutOLM| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/features/features.go b/features/features.go index 3895a6fba52..b2c6262721c 100644 --- a/features/features.go +++ b/features/features.go @@ -373,7 +373,7 @@ var ( contactPerson("saldawam"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1763"). - enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() FeatureGateExternalOIDCExternalClaimsSourcing = newFeatureGate("ExternalOIDCExternalClaimsSourcing"). @@ -457,12 +457,12 @@ var ( mustRegister() FeatureGateOLMLifecycleAndCompatibility = newFeatureGate("OLMLifecycleAndCompatibility"). - reportProblemsToJiraComponent("olm"). - contactPerson("joelanford"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1991"). - enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). - mustRegister() + reportProblemsToJiraComponent("olm"). + contactPerson("joelanford"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1991"). + enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). diff --git a/openapi/openapi.json b/openapi/openapi.json index 2b1f51b9d29..f5fd083033a 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -15834,6 +15834,7 @@ "properties": { "kms": { "description": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", + "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.KMSPluginConfig" }, "type": { @@ -22323,7 +22324,7 @@ "type": "object", "properties": { "allowedRegistries": { - "description": "allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.", + "description": "allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. Each entry must be a valid registry scope in the format hostname[:port][/path], optionally prefixed with \"*.\" for wildcard subdomains (e.g., \"*.example.com\"). The hostname must consist of valid DNS labels separated by dots, where each label contains only alphanumeric characters and hyphens and does not start or end with a hyphen. Entries must not be empty, must not include tags (e.g., \":latest\") or digests (e.g., \"@sha256:...\"), and must be at most 256 characters in length. The list may contain at most 1024 entries.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.", "type": "array", "items": { "type": "string", @@ -22332,7 +22333,7 @@ "x-kubernetes-list-type": "atomic" }, "blockedRegistries": { - "description": "blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.", + "description": "blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. Each entry must be a valid registry scope in the format hostname[:port][/path], optionally prefixed with \"*.\" for wildcard subdomains (e.g., \"*.example.com\"). The hostname must consist of valid DNS labels separated by dots, where each label contains only alphanumeric characters and hyphens and does not start or end with a hyphen. Entries must not be empty, must not include tags (e.g., \":latest\") or digests (e.g., \"@sha256:...\"), and must be at most 256 characters in length. The list may contain at most 1024 entries.\n\nOnly one of BlockedRegistries or AllowedRegistries may be set.", "type": "array", "items": { "type": "string", @@ -22350,7 +22351,7 @@ "x-kubernetes-list-type": "set" }, "insecureRegistries": { - "description": "insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.", + "description": "insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections. Each entry must be a valid registry scope in the format hostname[:port][/path], optionally prefixed with \"*.\" for wildcard subdomains (e.g., \"*.example.com\"). The hostname must consist of valid DNS labels separated by dots, where each label contains only alphanumeric characters and hyphens and does not start or end with a hyphen. Entries must not be empty, must not include tags (e.g., \":latest\") or digests (e.g., \"@sha256:...\"), and must be at most 256 characters in length. The list may contain at most 1024 entries.", "type": "array", "items": { "type": "string", @@ -24844,6 +24845,11 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.NodeExporterCollectorProcessesConfig" }, + "softirqs": { + "description": "softirqs configures the softirqs collector, which exposes detailed softirq statistics from /proc/softirqs. softirqs is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is disabled. Enable when you need visibility into kernel softirq processing across CPUs.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig" + }, "systemd": { "description": "systemd configures the systemd collector, which collects statistics on the systemd daemon and its managed services. systemd is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is disabled. Enabling this collector with a long list of selected units may produce metrics with high cardinality. If you enable this collector, closely monitor the prometheus-k8s deployment for excessive memory usage. Enable when you need metrics for specific units; scope units carefully.", "default": {}, @@ -25002,6 +25008,23 @@ } } }, + "com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig": { + "description": "NodeExporterCollectorSoftirqsConfig provides configuration for the softirqs collector of the node-exporter agent. The softirqs collector exposes detailed softirq statistics from /proc/softirqs. It is disabled by default.", + "type": "object", + "required": [ + "collectionPolicy" + ], + "properties": { + "collectionPolicy": { + "description": "collectionPolicy declares whether the softirqs collector collects metrics. This field is required. Valid values are \"Collect\" and \"DoNotCollect\". When set to \"Collect\", the softirqs collector is active and softirq statistics are collected. When set to \"DoNotCollect\", the softirqs collector is inactive.\n\nPossible enum values:\n - `\"Collect\"` means the collector is active and will produce metrics.\n - `\"DoNotCollect\"` means the collector is inactive and will not produce metrics.", + "type": "string", + "enum": [ + "Collect", + "DoNotCollect" + ] + } + } + }, "com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdCollectConfig": { "description": "NodeExporterCollectorSystemdCollectConfig holds configuration options for the systemd collector when it is actively collecting metrics. At least one field must be specified.", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml deleted file mode 100644 index 5e6be8db9f1..00000000000 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ /dev/null @@ -1,825 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: Default - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index bf116984ffd..00000000000 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,960 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - group values from JWT claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length . - - When specified, claim must not be set or be explicitly set to the empty string (`""`). - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: prefix must not be set to a non-empty value when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? (!has(self.prefix) || size(self.prefix) == 0) : - true' - - message: expression must not be set if claim is specified - and is not an empty string - rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) - : true' - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - the username from JWT claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length. - expression must not be set when claim is set. - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - - message: prefixPolicy must not be set to 'Prefix' when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? !has(self.prefixPolicy) || self.prefixPolicy != - ''Prefix'' : true' - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - cel: - description: |- - cel holds the CEL expression and message for validation. - Must be set when Type is "CEL", and forbidden otherwise. - properties: - expression: - description: |- - expression is a CEL expression evaluated against token claims. - expression is required, must be at least 1 character in length and must not exceed 1024 characters. - The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - - CEL - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: cel must be set when type is 'CEL', and forbidden - otherwise - rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) - : !has(self.cel)' - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - discoveryURL: - description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. - By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - - The discoveryURL must be a valid absolute HTTPS URL. - It must not contain query parameters, user information, or fragments. - Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). - The discoveryURL value must be at least 1 character long and no longer than 2048 characters. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: isURL(self) - - message: discoveryURL must be a valid https URL - rule: url(self).getScheme() == 'https' - - message: discoveryURL must not contain query parameters - rule: url(self).getQuery().size() == 0 - - message: discoveryURL must not contain fragments - rule: self.matches('^[^#]*$') - - message: discoveryURL must not contain user info - rule: '!self.matches(''^https://.+:.+@.+/.*$'')' - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - x-kubernetes-validations: - - message: discoveryURL must be different from issuerURL - rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() - == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) - : true' - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - userValidationRules: - description: |- - userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. - Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. - If any rule in the chain of rules evaluates to 'false', authentication will fail. - When specified, at least one rule must be specified and no more than 64 rules may be specified. - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - properties: - expression: - description: |- - expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. - - The expression must evaluate to a boolean value. - When the expression evaluates to 'true', the cluster user identity is considered valid. - When the expression evaluates to 'false', the cluster user identity is not considered valid. - expression must be at least 1 character in length and must not exceed 1024 characters. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - expression - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml deleted file mode 100644 index dcfe61e693b..00000000000 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ /dev/null @@ -1,825 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: OKD - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: claim is required - rule: has(self.claim) - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index de0dd293a85..00000000000 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,960 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: authentications.config.openshift.io -spec: - group: config.openshift.io - names: - kind: Authentication - listKind: AuthenticationList - plural: authentications - singular: authentication - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). The canonical name of an instance is `cluster`. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcProviders: - description: |- - oidcProviders are OIDC identity providers that can issue tokens for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: claimMappings is a required field that configures - the rules to be used by the Kubernetes API server for translating - claims in a JWT token, issued by the identity provider, to - a cluster identity. - properties: - extra: - description: |- - extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. - When omitted, no extra attributes will be present on the cluster identity. - - key values for extra mappings must be unique. - A maximum of 32 extra attribute mappings may be provided. - items: - description: |- - ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. - It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token. - properties: - key: - description: |- - key is a required field that specifies the string to use as the extra attribute key. - - key must be a domain-prefix path (e.g 'example.org/foo'). - key must not exceed 510 characters in length. - key must contain the '/' character, separating the domain and path characters. - key must not be empty. - - The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. - It must not exceed 253 characters in length. - It must start and end with an alphanumeric character. - It must only contain lower case alphanumeric characters and '-' or '.'. - It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io". - - The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. - It must not exceed 256 characters in length. - maxLength: 510 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must contain the '/' character - rule: self.contains('/') - - message: the domain of the key must consist of only - lower case alphanumeric characters, '-' or '.', - and must start and end with an alphanumeric character - rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$") - - message: the domain of the key must not exceed 253 - characters in length - rule: self.split('/', 2)[0].size() <= 253 - - message: the domain 'kubernetes.io' is reserved - for Kubernetes use - rule: self.split('/', 2)[0] != 'kubernetes.io' - - message: the subdomains '*.kubernetes.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')' - - message: the domain 'k8s.io' is reserved for Kubernetes - use - rule: self.split('/', 2)[0] != 'k8s.io' - - message: the subdomains '*.k8s.io' are reserved - for Kubernetes use - rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')' - - message: the domain 'openshift.io' is reserved for - OpenShift use - rule: self.split('/', 2)[0] != 'openshift.io' - - message: the subdomains '*.openshift.io' are reserved - for OpenShift use - rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')' - - message: the path of the key must not be empty and - must consist of at least one alphanumeric character, - percent-encoded octets, apostrophe, '-', '.', - '_', '~', '!', '$', '&', '(', ')', '*', '+', ',', - ';', '=', and ':' - rule: self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+') - - message: the path of the key must not exceed 256 - characters in length - rule: self.split('/', 2)[1].size() <= 256 - valueExpression: - description: |- - valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims. - valueExpression must produce a string or string array value. - "", [], and null are treated as the extra mapping not being present. - Empty string values within an array are filtered out. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - valueExpression must not exceed 1024 characters in length. - valueExpression must not be empty. - maxLength: 1024 - minLength: 1 - type: string - required: - - key - - valueExpression - type: object - maxItems: 32 - type: array - x-kubernetes-list-map-keys: - - key - x-kubernetes-list-type: map - groups: - description: |- - groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. - - When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). - - For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - claim must not exceed 256 characters in length. - When set to the empty string `""`, this means that no named claim should be used for the group mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - maxLength: 256 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - group values from JWT claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length . - - When specified, claim must not be set or be explicitly set to the empty string (`""`). - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. - - When omitted or set to an empty string (""), no prefix is applied to the cluster identity attribute. - Must not be set to a non-empty value when expression is set. - - Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - type: object - x-kubernetes-validations: - - message: prefix must not be set to a non-empty value when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? (!has(self.prefix) || size(self.prefix) == 0) : - true' - - message: expression must not be set if claim is specified - and is not an empty string - rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression) - : true' - uid: - description: |- - uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. - - When using uid.claim to specify the claim it must be a single string value. - When using uid.expression the expression must result in a single string value. - - When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. - - The current default is to use the 'sub' claim. - properties: - claim: - description: |- - claim is an optional field for specifying the JWT token claim that is used in the mapping. - The value of this claim will be assigned to the field in which this mapping is associated. - - Precisely one of claim or expression must be set. - claim must not be specified when expression is set. - When specified, claim must be at least 1 character in length and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims. - - CEL expressions have access to the token claims through a CEL variable, 'claims'. - 'claims' is a map of claim names to claim values. - For example, the 'sub' claim value can be accessed as 'claims.sub'. - Nested claims can be accessed using dot notation ('claims.foo.bar'). - - Precisely one of claim or expression must be set. - expression must not be specified when claim is set. - When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length. - maxLength: 1024 - minLength: 1 - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - username: - description: username is a required field that configures - how the username of a cluster identity should be constructed - from the claims in a JWT token issued by the identity - provider. - properties: - claim: - description: |- - claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. - claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled. - When the ExternalOIDCWithUpstreamParity feature gate is enabled, claim must not be set when expression is set. - - claim must not be an empty string ("") and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - expression: - description: |- - expression is an optional CEL expression used to derive - the username from JWT claims. - - CEL expressions have access to the token claims - through a CEL variable, 'claims'. - - expression must be at least 1 character and must not exceed 1024 characters in length. - expression must not be set when claim is set. - maxLength: 1024 - minLength: 1 - type: string - prefix: - description: |- - prefix configures the prefix that should be prepended to the value of the JWT claim. - - prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise. - properties: - prefixString: - description: |- - prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes. - - prefixString must not be an empty string (""). - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. - - Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). - - When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. - The prefix field must be set when prefixPolicy is 'Prefix'. - Must not be set to 'Prefix' when expression is set. - When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim. - When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. - Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. - - As an example, consider the following scenario: - - `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - - "username": the mapped value will be "https://myoidc.tld#userA" - - "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - type: object - x-kubernetes-validations: - - message: precisely one of claim or expression must be - set - rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)' - - message: prefixPolicy must not be set to 'Prefix' when - expression is set - rule: 'has(self.expression) && size(self.expression) > - 0 ? !has(self.prefixPolicy) || self.prefixPolicy != - ''Prefix'' : true' - - message: prefix must be set if prefixPolicy is 'Prefix', - but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy == - ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - required: - - username - type: object - claimValidationRules: - description: |- - claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider. - - Validation rules are joined via an AND operation. - items: - description: |- - TokenClaimValidationRule represents a validation rule based on token claims. - If type is RequiredClaim, requiredClaim must be set. - If Type is CEL, CEL must be set and RequiredClaim must be omitted. - properties: - cel: - description: |- - cel holds the CEL expression and message for validation. - Must be set when Type is "CEL", and forbidden otherwise. - properties: - expression: - description: |- - expression is a CEL expression evaluated against token claims. - expression is required, must be at least 1 character in length and must not exceed 1024 characters. - The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - requiredClaim: - description: |- - requiredClaim allows configuring a required claim name and its expected value. - This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. - The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider. - properties: - claim: - description: |- - claim is a required field that configures the name of the required claim. - When taken from the JWT claims, claim must be a string value. - - claim must not be an empty string (""). - minLength: 1 - type: string - requiredValue: - description: |- - requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims. - If the value in the JWT claims does not match, the token will be rejected for authentication. - - requiredValue must not be an empty string (""). - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - description: |- - type is an optional field that configures the type of the validation rule. - - Allowed values are "RequiredClaim" and "CEL". - - When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value. - - When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression. - enum: - - RequiredClaim - - CEL - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: cel must be set when type is 'CEL', and forbidden - otherwise - rule: 'has(self.type) && self.type == ''CEL'' ? has(self.cel) - : !has(self.cel)' - - message: requiredClaim must be set when type is 'RequiredClaim', - and forbidden otherwise - rule: 'has(self.type) && self.type == ''RequiredClaim'' - ? has(self.requiredClaim) : !has(self.requiredClaim)' - type: array - x-kubernetes-list-type: atomic - issuer: - description: issuer is a required field that configures how - the platform interacts with the identity provider and how - tokens issued from the identity provider are evaluated by - the Kubernetes API server. - properties: - audiences: - description: |- - audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. - At least one of the entries must match the 'aud' claim in the JWT token. - - audiences must contain at least one entry and must not exceed ten entries. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - discoveryURL: - description: |- - discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. - By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration". - - The discoveryURL must be a valid absolute HTTPS URL. - It must not contain query parameters, user information, or fragments. - Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). - The discoveryURL value must be at least 1 character long and no longer than 2048 characters. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: discoveryURL must be a valid URL - rule: isURL(self) - - message: discoveryURL must be a valid https URL - rule: url(self).getScheme() == 'https' - - message: discoveryURL must not contain query parameters - rule: url(self).getQuery().size() == 0 - - message: discoveryURL must not contain fragments - rule: self.matches('^[^#]*$') - - message: discoveryURL must not contain user info - rule: '!self.matches(''^https://.+:.+@.+/.*$'')' - issuerCertificateAuthority: - description: |- - issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information. - - When not specified, the system trust is used. - - When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - issuerURL: - description: |- - issuerURL is a required field that configures the URL used to issue tokens by the identity provider. - The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers. - - Must be at least 1 character and must not exceed 512 characters in length. - Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user. - maxLength: 512 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid URL - rule: isURL(self) - - message: must use the 'https' scheme - rule: isURL(self) && url(self).getScheme() == 'https' - - message: must not have a query - rule: isURL(self) && url(self).getQuery() == {} - - message: must not have a fragment - rule: self.find('#(.+)$') == '' - - message: must not have user info - rule: self.find('@') == '' - required: - - audiences - - issuerURL - type: object - x-kubernetes-validations: - - message: discoveryURL must be different from issuerURL - rule: 'self.?discoveryURL.orValue("").size() > 0 ? (self.issuerURL.size() - == 0 || self.discoveryURL.find(''^.+[^/]'') != self.issuerURL.find(''^.+[^/]'')) - : true' - name: - description: |- - name is a required field that configures the unique human-readable identifier associated with the identity provider. - It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics. - - name must not be an empty string (""). - minLength: 1 - type: string - oidcClients: - description: |- - oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. - oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs. - items: - description: OIDCClientConfig configures how platform clients - interact with identity providers as an authentication method. - properties: - clientID: - description: |- - clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. - The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode. - - clientID must not be an empty string (""). - minLength: 1 - type: string - clientSecret: - description: |- - clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider. - - When not specified, no client secret will be used when making authentication requests to the identity provider. - - When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. - - The client secret will be used when making authentication requests to the identity provider. - - Public clients do not require a client secret but private clients do require a client secret to work with the identity provider. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - componentName: - description: |- - componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. - - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: |- - extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. - This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes. - - When omitted, no additional scopes are requested. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - userValidationRules: - description: |- - userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. - Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. - If any rule in the chain of rules evaluates to 'false', authentication will fail. - When specified, at least one rule must be specified and no more than 64 rules may be specified. - items: - description: |- - TokenUserValidationRule provides a CEL-based rule used to validate a token subject. - Each rule contains a CEL expression that is evaluated against the token’s claims. - properties: - expression: - description: |- - expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc. - - The expression must evaluate to a boolean value. - When the expression evaluates to 'true', the cluster user identity is considered valid. - When the expression evaluates to 'false', the cluster user identity is not considered valid. - expression must be at least 1 character in length and must not exceed 1024 characters. - maxLength: 1024 - minLength: 1 - type: string - message: - description: |- - message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. - message must be at least 1 character in length and must not exceed 256 characters. - maxLength: 256 - minLength: 1 - type: string - required: - - expression - - message - type: object - maxItems: 64 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - expression - x-kubernetes-list-type: map - required: - - claimMappings - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting it - has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - properties: - integratedOAuthMetadata: - description: |- - integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for the in-cluster integrated OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - This contains the observed value based on cluster state. - An explicitly set value in spec.oauthMetadata has precedence over this field. - This field has no meaning if authentication spec.type is not set to IntegratedOAuth. - The key "oauthMetadata" is used to locate the data. - If the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config-managed. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - oidcClients: - description: oidcClients is where participating operators place the - current OIDC client status for OIDC clients that can be customized - by the cluster-admin. - items: - description: |- - OIDCClientStatus represents the current state - of platform components and how they interact with - the configured identity providers. - properties: - componentName: - description: |- - componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. - It is used in combination with componentNamespace as a unique identifier. - - componentName must not be an empty string ("") and must not exceed 256 characters in length. - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. - - It is used in combination with componentName as a unique identifier. - - componentNamespace must not be an empty string ("") and must not exceed 63 characters in length. - maxLength: 63 - minLength: 1 - type: string - conditions: - description: |- - conditions are used to communicate the state of the `oidcClients` entry. - - Supported conditions include Available, Degraded and Progressing. - - If Available is true, the component is successfully using the configured client. - If Degraded is true, that means something has gone wrong trying to handle the client configuration. - If Progressing is true, that means the component is taking some action related to the `oidcClients` entry. - items: - description: Condition contains details for one aspect of - the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - consumingUsers: - description: |- - consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret. - - consumingUsers must not exceed 5 entries. - items: - description: ConsumingUser is an alias for string which we - add validation to. Currently only service accounts are supported. - maxLength: 512 - minLength: 1 - pattern: ^system:serviceaccount:[a-z0-9]([-a-z0-9]*[a-z0-9])?:[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 5 - type: array - x-kubernetes-list-type: set - currentOIDCClients: - description: |- - currentOIDCClients is an optional list of clients that the component is currently using. - - Entries must have unique issuerURL/clientID pairs. - items: - description: |- - OIDCClientReference is a reference to a platform component - client configuration. - properties: - clientID: - description: |- - clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider. - - clientID must not be empty. - minLength: 1 - type: string - issuerURL: - description: |- - issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against. - - issuerURL must use the 'https' scheme. - pattern: ^https:\/\/[^\s] - type: string - oidcProviderName: - description: |- - oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with. - - oidcProviderName must not be an empty string (""). - minLength: 1 - type: string - required: - - clientID - - issuerURL - - oidcProviderName - type: object - type: array - x-kubernetes-list-map-keys: - - issuerURL - - clientID - x-kubernetes-list-type: map - required: - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - type: object - required: - - spec - type: object - x-kubernetes-validations: - - message: all oidcClients in the oidcProviders must match their componentName - and componentNamespace to either a previously configured oidcClient or - they must exist in the status.oidcClients - rule: '!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) - || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace - == specC.componentNamespace && statusC.componentName == specC.componentName) - || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, - oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, - oldC.componentNamespace == specC.componentNamespace && oldC.componentName - == specC.componentName)))))' - served: true - storage: true - subresources: - status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications.crd.yaml similarity index 99% rename from payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml rename to payload-manifests/crds/0000_10_config-operator_01_authentications.crd.yaml index cd737e2727f..cfad250f288 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications.crd.yaml @@ -7,7 +7,6 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: authentications.config.openshift.io spec: group: config.openshift.io diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml index 44c3b161445..b09de8013a7 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml @@ -140,9 +140,6 @@ { "name": "ExternalOIDCExternalClaimsSourcing" }, - { - "name": "ExternalOIDCWithUpstreamParity" - }, { "name": "ExternalSnapshotMetadata" }, @@ -298,6 +295,9 @@ { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, + { + "name": "ExternalOIDCWithUpstreamParity" + }, { "name": "GatewayAPIWithoutOLM" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml index 4c828e6e6a4..bbf209d5a96 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml @@ -142,9 +142,6 @@ { "name": "ExternalOIDCExternalClaimsSourcing" }, - { - "name": "ExternalOIDCWithUpstreamParity" - }, { "name": "ExternalSnapshotMetadata" }, @@ -300,6 +297,9 @@ { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, + { + "name": "ExternalOIDCWithUpstreamParity" + }, { "name": "GatewayAPIWithoutOLM" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml index 02c76178a2a..bbdb6701663 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml @@ -137,9 +137,6 @@ { "name": "ExternalOIDCExternalClaimsSourcing" }, - { - "name": "ExternalOIDCWithUpstreamParity" - }, { "name": "ExternalSnapshotMetadata" }, @@ -295,6 +292,9 @@ { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, + { + "name": "ExternalOIDCWithUpstreamParity" + }, { "name": "GatewayAPIWithoutOLM" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml index e686451eb34..25bdc380a40 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml @@ -139,9 +139,6 @@ { "name": "ExternalOIDCExternalClaimsSourcing" }, - { - "name": "ExternalOIDCWithUpstreamParity" - }, { "name": "ExternalSnapshotMetadata" }, @@ -297,6 +294,9 @@ { "name": "ExternalOIDCWithUIDAndExtraClaimMappings" }, + { + "name": "ExternalOIDCWithUpstreamParity" + }, { "name": "GatewayAPIWithoutOLM" },