djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec

Browse Source 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Ryan Richard 2020-12-15 10:36:19 -08:00 committed by Margo Crawford
parent 43bb7117b7
commit 0e60c93cef
11 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Audience string `json:"audience"` Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider. // TLS configuration for communicating with the OIDC provider.
// +optional // +optional
TLS *TLSSpec `json:"tls,omitempty"` TLS *TLSSpec `json:"tls,omitempty"`

10
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim. description: Audience is the required value of the "aud" JWT claim.
minLength: 1 minLength: 1
type: string type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer: issuer:
description: Issuer is the OIDC issuer URL that will be used to discover description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted. If omitted, a default set of system roots will be trusted.
type: string type: string
type: object type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required: required:
- audience - audience
- issuer - issuer

2
generated/1.17/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|=== |===

10
generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Audience string `json:"audience"` Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider. // TLS configuration for communicating with the OIDC provider.
// +optional // +optional
TLS *TLSSpec `json:"tls,omitempty"` TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim. description: Audience is the required value of the "aud" JWT claim.
minLength: 1 minLength: 1
type: string type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer: issuer:
description: Issuer is the OIDC issuer URL that will be used to discover description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted. If omitted, a default set of system roots will be trusted.
type: string type: string
type: object type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required: required:
- audience - audience
- issuer - issuer

2
generated/1.18/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|=== |===

10
generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Audience string `json:"audience"` Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider. // TLS configuration for communicating with the OIDC provider.
// +optional // +optional
TLS *TLSSpec `json:"tls,omitempty"` TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim. description: Audience is the required value of the "aud" JWT claim.
minLength: 1 minLength: 1
type: string type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer: issuer:
description: Issuer is the OIDC issuer URL that will be used to discover description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted. If omitted, a default set of system roots will be trusted.
type: string type: string
type: object type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required: required:
- audience - audience
- issuer - issuer

2
generated/1.19/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|=== |===

10
generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Audience string `json:"audience"` Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider. // TLS configuration for communicating with the OIDC provider.
// +optional // +optional
TLS *TLSSpec `json:"tls,omitempty"` TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim. description: Audience is the required value of the "aud" JWT claim.
minLength: 1 minLength: 1
type: string type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer: issuer:
description: Issuer is the OIDC issuer URL that will be used to discover description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted. If omitted, a default set of system roots will be trusted.
type: string type: string
type: object type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required: required:
- audience - audience
- issuer - issuer