diff --git a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl index 5d0604bd..b08e8279 100644 --- a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl +++ b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c..0865ca3c 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 0ccdd1df..1f29282c 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd..1c43f68f 100644 --- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c..0865ca3c 100644 --- a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 97042b25..2cef60f4 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd..1c43f68f 100644 --- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c..0865ca3c 100644 --- a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index edda33b8..bfb3c44f 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd..1c43f68f 100644 --- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c..0865ca3c 100644 --- a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer