djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec

Browse Source 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Ryan Richard 2020-12-15 10:36:19 -08:00 committed by Margo Crawford
parent 43bb7117b7
commit 0e60c93cef
11 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`

10
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted.
type: string
type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required:
- audience
- issuer

2
generated/1.17/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|===

10
generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted.
type: string
type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required:
- audience
- issuer

2
generated/1.18/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|===

10
generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted.
type: string
type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required:
- audience
- issuer

2
generated/1.19/README.adoc generated
View File

@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator.
| Field | Description
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|===

10
generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go generated
View File

@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct {
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// UsernameClaim is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
UsernameClaim string `json:"username_claim"`
// GroupsClaim is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
GroupsClaim string `json:"groups_claim"`
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`

10
generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@ -51,6 +51,11 @@ spec:
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
groups_claim:
description: GroupsClaim is the name of the claim which should be
read to extract the user's group membership from the JWT token.
When not specified, it will default to "groups".
type: string
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT
@ -66,6 +71,11 @@ spec:
If omitted, a default set of system roots will be trusted.
type: string
type: object
username_claim:
description: UsernameClaim is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
type: string
required:
- audience
- issuer