122 lines
5.6 KiB
YAML
122 lines
5.6 KiB
YAML
|
---
|
||
|
|
apiVersion: apiextensions.k8s.io/v1
|
||
|
|
kind: CustomResourceDefinition
|
||
|
|
metadata:
|
||
|
|
annotations:
|
||
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
||
|
|
creationTimestamp: null
|
||
|
|
name: oidcclients.oauth.supervisor.pinniped.dev
|
||
|
|
spec:
|
||
|
|
group: oauth.supervisor.pinniped.dev
|
||
|
|
names:
|
||
|
|
categories:
|
||
|
|
- pinniped
|
||
|
|
kind: OIDCClient
|
||
|
|
listKind: OIDCClientList
|
||
|
|
plural: oidcclients
|
||
|
|
singular: oidcclient
|
||
|
|
scope: Namespaced
|
||
|
|
versions:
|
||
|
|
- additionalPrinterColumns:
|
||
|
|
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||
|
|
name: Privileged
|
||
|
|
type: boolean
|
||
|
|
- jsonPath: .metadata.creationTimestamp
|
||
|
|
name: Age
|
||
|
|
type: date
|
||
|
|
name: v1alpha1
|
||
|
|
schema:
|
||
|
|
openAPIV3Schema:
|
||
|
|
description: OIDCClient describes the configuration of an OIDC client.
|
||
|
|
properties:
|
||
|
|
apiVersion:
|
||
|
|
description: 'APIVersion defines the versioned schema of this representation
|
||
|
|
of an object. Servers should convert recognized schemas to the latest
|
||
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
|
|
type: string
|
||
|
|
kind:
|
||
|
|
description: 'Kind is a string value representing the REST resource this
|
||
|
|
object represents. Servers may infer this from the endpoint the client
|
||
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
|
|
type: string
|
||
|
|
metadata:
|
||
|
|
type: object
|
||
|
|
spec:
|
||
|
|
description: Spec of the OIDC provider.
|
||
|
|
properties:
|
||
|
|
allowedGrantTypes:
|
||
|
|
description: "allowedGrantTypes is a list of the allowed grant_type
|
||
|
|
param values that should be accepted during OIDC flows with this
|
||
|
|
client. \n Must only contain the following values: - authorization_code:
|
||
|
|
allows the client to perform the authorization code grant flow,
|
||
|
|
i.e. allows the webapp to authenticate users. This grant must always
|
||
|
|
be listed. - refresh_token: allows the client to perform refresh
|
||
|
|
grants for the user to extend the user's session. This grant must
|
||
|
|
be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:
|
||
|
|
allows the client to perform RFC8693 token exchange, which is a
|
||
|
|
step in the process to be able to get a cluster credential for the
|
||
|
|
user. This grant must be listed if allowedScopes lists pinniped:request-audience."
|
||
|
|
items:
|
||
|
|
type: string
|
||
|
|
minItems: 1
|
||
|
|
type: array
|
||
|
|
uniqueItems: true
|
||
|
|
allowedRedirectURIs:
|
||
|
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||
|
|
param values that should be accepted during OIDC flows with this
|
||
|
|
client. Any other uris will be rejected. Must be https, unless it
|
||
|
|
is a loopback.
|
||
|
|
items:
|
||
|
|
type: string
|
||
|
|
minItems: 1
|
||
|
|
type: array
|
||
|
|
uniqueItems: true
|
||
|
|
allowedScopes:
|
||
|
|
description: "allowedScopes is a list of the allowed scopes param
|
||
|
|
values that should be accepted during OIDC flows with this client.
|
||
|
|
\n Must only contain the following values: - openid: The client
|
||
|
|
is allowed to request ID tokens. ID tokens only include the required
|
||
|
|
claims by default (iss, sub, aud, exp, iat). This scope must always
|
||
|
|
be listed. - offline_access: The client is allowed to request an
|
||
|
|
initial refresh token during the authorization code grant flow.
|
||
|
|
This scope must be listed if allowedGrantTypes lists refresh_token.
|
||
|
|
- pinniped:request-audience: The client is allowed to request a
|
||
|
|
new audience value during a RFC8693 token exchange, which is a step
|
||
|
|
in the process to be able to get a cluster credential for the user.
|
||
|
|
openid, username and groups scopes must be listed when this scope
|
||
|
|
is present. This scope must be listed if allowedGrantTypes lists
|
||
|
|
urn:ietf:params:oauth:grant-type:token-exchange. - username: The
|
||
|
|
client is allowed to request that ID tokens contain the user's username.
|
||
|
|
Without the username scope being requested and allowed, the ID token
|
||
|
|
will not contain the user's username. - groups: The client is allowed
|
||
|
|
to request that ID tokens contain the user's group membership, if
|
||
|
|
their group membership is discoverable by the Supervisor. Without
|
||
|
|
the groups scope being requested and allowed, the ID token will
|
||
|
|
not contain groups."
|
||
|
|
items:
|
||
|
|
type: string
|
||
|
|
minItems: 1
|
||
|
|
type: array
|
||
|
|
uniqueItems: true
|
||
|
|
required:
|
||
|
|
- allowedGrantTypes
|
||
|
|
- allowedRedirectURIs
|
||
|
|
- allowedScopes
|
||
|
|
type: object
|
||
|
|
status:
|
||
|
|
description: Status of the OIDC provider.
|
||
|
|
type: object
|
||
|
|
required:
|
||
|
|
- spec
|
||
|
|
type: object
|
||
|
|
served: true
|
||
|
|
storage: true
|
||
|
|
subresources:
|
||
|
|
status: {}
|
||
|
|
status:
|
||
|
|
acceptedNames:
|
||
|
|
kind: ""
|
||
|
|
plural: ""
|
||
|
|
conditions: []
|
||
|
|
storedVersions: []
|