Nest claim configs one level deeper in JWTAuthenticatorSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
parent
40c6a67631
commit
dcb19150fc
@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Audience string `json:"audience"`
|
Audience string `json:"audience"`
|
||||||
|
|
||||||
// UsernameClaim is the name of the claim which should be read to extract the
|
// Claims allows customization of the claims that will be mapped to user identity
|
||||||
// username from the JWT token. When not specified, it will default to "username".
|
// for Kubernetes access.
|
||||||
// +optional
|
// +optional
|
||||||
UsernameClaim string `json:"username_claim"`
|
Claims JWTTokenClaims `json:"claims"`
|
||||||
|
|
||||||
// GroupsClaim is the name of the claim which should be read to extract the user's
|
|
||||||
// group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
// +optional
|
|
||||||
GroupsClaim string `json:"groups_claim"`
|
|
||||||
|
|
||||||
// TLS configuration for communicating with the OIDC provider.
|
// TLS configuration for communicating with the OIDC provider.
|
||||||
// +optional
|
// +optional
|
||||||
TLS *TLSSpec `json:"tls,omitempty"`
|
TLS *TLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
|
||||||
|
// for Kubernetes access.
|
||||||
|
type JWTTokenClaims struct {
|
||||||
|
// Groups is the name of the claim which should be read to extract the user's
|
||||||
|
// group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
// +optional
|
||||||
|
Groups string `json:"groups"`
|
||||||
|
|
||||||
|
// Username is the name of the claim which should be read to extract the
|
||||||
|
// username from the JWT token. When not specified, it will default to "username".
|
||||||
|
// +optional
|
||||||
|
Username string `json:"username"`
|
||||||
|
}
|
||||||
|
|
||||||
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
||||||
//
|
//
|
||||||
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
||||||
|
@ -51,11 +51,21 @@ spec:
|
|||||||
description: Audience is the required value of the "aud" JWT claim.
|
description: Audience is the required value of the "aud" JWT claim.
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
groups_claim:
|
claims:
|
||||||
description: GroupsClaim is the name of the claim which should be
|
description: Claims allows customization of the claims that will be
|
||||||
read to extract the user's group membership from the JWT token.
|
mapped to user identity for Kubernetes access.
|
||||||
When not specified, it will default to "groups".
|
properties:
|
||||||
|
groups:
|
||||||
|
description: Groups is the name of the claim which should be read
|
||||||
|
to extract the user's group membership from the JWT token. When
|
||||||
|
not specified, it will default to "groups".
|
||||||
type: string
|
type: string
|
||||||
|
username:
|
||||||
|
description: Username is the name of the claim which should be
|
||||||
|
read to extract the username from the JWT token. When not specified,
|
||||||
|
it will default to "username".
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
issuer:
|
issuer:
|
||||||
description: Issuer is the OIDC issuer URL that will be used to discover
|
description: Issuer is the OIDC issuer URL that will be used to discover
|
||||||
public signing keys. Issuer is also used to validate the "iss" JWT
|
public signing keys. Issuer is also used to validate the "iss" JWT
|
||||||
@ -71,11 +81,6 @@ spec:
|
|||||||
If omitted, a default set of system roots will be trusted.
|
If omitted, a default set of system roots will be trusted.
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
username_claim:
|
|
||||||
description: UsernameClaim is the name of the claim which should be
|
|
||||||
read to extract the username from the JWT token. When not specified,
|
|
||||||
it will default to "username".
|
|
||||||
type: string
|
|
||||||
required:
|
required:
|
||||||
- audience
|
- audience
|
||||||
- issuer
|
- issuer
|
||||||
|
21
generated/1.17/README.adoc
generated
21
generated/1.17/README.adoc
generated
@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
||||||
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
||||||
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
@ -115,6 +114,24 @@ Status of a JWT authenticator.
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwttokenclaims"]
|
||||||
|
==== JWTTokenClaims
|
||||||
|
|
||||||
|
JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
|
||||||
==== TLSSpec
|
==== TLSSpec
|
||||||
|
|
||||||
|
@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Audience string `json:"audience"`
|
Audience string `json:"audience"`
|
||||||
|
|
||||||
// UsernameClaim is the name of the claim which should be read to extract the
|
// Claims allows customization of the claims that will be mapped to user identity
|
||||||
// username from the JWT token. When not specified, it will default to "username".
|
// for Kubernetes access.
|
||||||
// +optional
|
// +optional
|
||||||
UsernameClaim string `json:"username_claim"`
|
Claims JWTTokenClaims `json:"claims"`
|
||||||
|
|
||||||
// GroupsClaim is the name of the claim which should be read to extract the user's
|
|
||||||
// group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
// +optional
|
|
||||||
GroupsClaim string `json:"groups_claim"`
|
|
||||||
|
|
||||||
// TLS configuration for communicating with the OIDC provider.
|
// TLS configuration for communicating with the OIDC provider.
|
||||||
// +optional
|
// +optional
|
||||||
TLS *TLSSpec `json:"tls,omitempty"`
|
TLS *TLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
|
||||||
|
// for Kubernetes access.
|
||||||
|
type JWTTokenClaims struct {
|
||||||
|
// Groups is the name of the claim which should be read to extract the user's
|
||||||
|
// group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
// +optional
|
||||||
|
Groups string `json:"groups"`
|
||||||
|
|
||||||
|
// Username is the name of the claim which should be read to extract the
|
||||||
|
// username from the JWT token. When not specified, it will default to "username".
|
||||||
|
// +optional
|
||||||
|
Username string `json:"username"`
|
||||||
|
}
|
||||||
|
|
||||||
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
||||||
//
|
//
|
||||||
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
||||||
|
@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
out.Claims = in.Claims
|
||||||
if in.TLS != nil {
|
if in.TLS != nil {
|
||||||
in, out := &in.TLS, &out.TLS
|
in, out := &in.TLS, &out.TLS
|
||||||
*out = new(TLSSpec)
|
*out = new(TLSSpec)
|
||||||
@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.
|
||||||
|
func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(JWTTokenClaims)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -51,11 +51,21 @@ spec:
|
|||||||
description: Audience is the required value of the "aud" JWT claim.
|
description: Audience is the required value of the "aud" JWT claim.
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
groups_claim:
|
claims:
|
||||||
description: GroupsClaim is the name of the claim which should be
|
description: Claims allows customization of the claims that will be
|
||||||
read to extract the user's group membership from the JWT token.
|
mapped to user identity for Kubernetes access.
|
||||||
When not specified, it will default to "groups".
|
properties:
|
||||||
|
groups:
|
||||||
|
description: Groups is the name of the claim which should be read
|
||||||
|
to extract the user's group membership from the JWT token. When
|
||||||
|
not specified, it will default to "groups".
|
||||||
type: string
|
type: string
|
||||||
|
username:
|
||||||
|
description: Username is the name of the claim which should be
|
||||||
|
read to extract the username from the JWT token. When not specified,
|
||||||
|
it will default to "username".
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
issuer:
|
issuer:
|
||||||
description: Issuer is the OIDC issuer URL that will be used to discover
|
description: Issuer is the OIDC issuer URL that will be used to discover
|
||||||
public signing keys. Issuer is also used to validate the "iss" JWT
|
public signing keys. Issuer is also used to validate the "iss" JWT
|
||||||
@ -71,11 +81,6 @@ spec:
|
|||||||
If omitted, a default set of system roots will be trusted.
|
If omitted, a default set of system roots will be trusted.
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
username_claim:
|
|
||||||
description: UsernameClaim is the name of the claim which should be
|
|
||||||
read to extract the username from the JWT token. When not specified,
|
|
||||||
it will default to "username".
|
|
||||||
type: string
|
|
||||||
required:
|
required:
|
||||||
- audience
|
- audience
|
||||||
- issuer
|
- issuer
|
||||||
|
21
generated/1.18/README.adoc
generated
21
generated/1.18/README.adoc
generated
@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
||||||
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
||||||
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
@ -115,6 +114,24 @@ Status of a JWT authenticator.
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwttokenclaims"]
|
||||||
|
==== JWTTokenClaims
|
||||||
|
|
||||||
|
JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
|
||||||
==== TLSSpec
|
==== TLSSpec
|
||||||
|
|
||||||
|
@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Audience string `json:"audience"`
|
Audience string `json:"audience"`
|
||||||
|
|
||||||
// UsernameClaim is the name of the claim which should be read to extract the
|
// Claims allows customization of the claims that will be mapped to user identity
|
||||||
// username from the JWT token. When not specified, it will default to "username".
|
// for Kubernetes access.
|
||||||
// +optional
|
// +optional
|
||||||
UsernameClaim string `json:"username_claim"`
|
Claims JWTTokenClaims `json:"claims"`
|
||||||
|
|
||||||
// GroupsClaim is the name of the claim which should be read to extract the user's
|
|
||||||
// group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
// +optional
|
|
||||||
GroupsClaim string `json:"groups_claim"`
|
|
||||||
|
|
||||||
// TLS configuration for communicating with the OIDC provider.
|
// TLS configuration for communicating with the OIDC provider.
|
||||||
// +optional
|
// +optional
|
||||||
TLS *TLSSpec `json:"tls,omitempty"`
|
TLS *TLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
|
||||||
|
// for Kubernetes access.
|
||||||
|
type JWTTokenClaims struct {
|
||||||
|
// Groups is the name of the claim which should be read to extract the user's
|
||||||
|
// group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
// +optional
|
||||||
|
Groups string `json:"groups"`
|
||||||
|
|
||||||
|
// Username is the name of the claim which should be read to extract the
|
||||||
|
// username from the JWT token. When not specified, it will default to "username".
|
||||||
|
// +optional
|
||||||
|
Username string `json:"username"`
|
||||||
|
}
|
||||||
|
|
||||||
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
||||||
//
|
//
|
||||||
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
||||||
|
@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
out.Claims = in.Claims
|
||||||
if in.TLS != nil {
|
if in.TLS != nil {
|
||||||
in, out := &in.TLS, &out.TLS
|
in, out := &in.TLS, &out.TLS
|
||||||
*out = new(TLSSpec)
|
*out = new(TLSSpec)
|
||||||
@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.
|
||||||
|
func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(JWTTokenClaims)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -51,11 +51,21 @@ spec:
|
|||||||
description: Audience is the required value of the "aud" JWT claim.
|
description: Audience is the required value of the "aud" JWT claim.
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
groups_claim:
|
claims:
|
||||||
description: GroupsClaim is the name of the claim which should be
|
description: Claims allows customization of the claims that will be
|
||||||
read to extract the user's group membership from the JWT token.
|
mapped to user identity for Kubernetes access.
|
||||||
When not specified, it will default to "groups".
|
properties:
|
||||||
|
groups:
|
||||||
|
description: Groups is the name of the claim which should be read
|
||||||
|
to extract the user's group membership from the JWT token. When
|
||||||
|
not specified, it will default to "groups".
|
||||||
type: string
|
type: string
|
||||||
|
username:
|
||||||
|
description: Username is the name of the claim which should be
|
||||||
|
read to extract the username from the JWT token. When not specified,
|
||||||
|
it will default to "username".
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
issuer:
|
issuer:
|
||||||
description: Issuer is the OIDC issuer URL that will be used to discover
|
description: Issuer is the OIDC issuer URL that will be used to discover
|
||||||
public signing keys. Issuer is also used to validate the "iss" JWT
|
public signing keys. Issuer is also used to validate the "iss" JWT
|
||||||
@ -71,11 +81,6 @@ spec:
|
|||||||
If omitted, a default set of system roots will be trusted.
|
If omitted, a default set of system roots will be trusted.
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
username_claim:
|
|
||||||
description: UsernameClaim is the name of the claim which should be
|
|
||||||
read to extract the username from the JWT token. When not specified,
|
|
||||||
it will default to "username".
|
|
||||||
type: string
|
|
||||||
required:
|
required:
|
||||||
- audience
|
- audience
|
||||||
- issuer
|
- issuer
|
||||||
|
21
generated/1.19/README.adoc
generated
21
generated/1.19/README.adoc
generated
@ -92,8 +92,7 @@ Spec for configuring a JWT authenticator.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
| *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim.
|
||||||
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
| *`audience`* __string__ | Audience is the required value of the "aud" JWT claim.
|
||||||
| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwttokenclaims[$$JWTTokenClaims$$]__ | Claims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
@ -115,6 +114,24 @@ Status of a JWT authenticator.
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwttokenclaims"]
|
||||||
|
==== JWTTokenClaims
|
||||||
|
|
||||||
|
JWTTokenClaims allows customization of the claims that will be mapped to user identity for Kubernetes access.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec[$$JWTAuthenticatorSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`groups`* __string__ | Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
| *`username`* __string__ | Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username".
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
|
||||||
==== TLSSpec
|
==== TLSSpec
|
||||||
|
|
||||||
|
@ -27,21 +27,30 @@ type JWTAuthenticatorSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Audience string `json:"audience"`
|
Audience string `json:"audience"`
|
||||||
|
|
||||||
// UsernameClaim is the name of the claim which should be read to extract the
|
// Claims allows customization of the claims that will be mapped to user identity
|
||||||
// username from the JWT token. When not specified, it will default to "username".
|
// for Kubernetes access.
|
||||||
// +optional
|
// +optional
|
||||||
UsernameClaim string `json:"username_claim"`
|
Claims JWTTokenClaims `json:"claims"`
|
||||||
|
|
||||||
// GroupsClaim is the name of the claim which should be read to extract the user's
|
|
||||||
// group membership from the JWT token. When not specified, it will default to "groups".
|
|
||||||
// +optional
|
|
||||||
GroupsClaim string `json:"groups_claim"`
|
|
||||||
|
|
||||||
// TLS configuration for communicating with the OIDC provider.
|
// TLS configuration for communicating with the OIDC provider.
|
||||||
// +optional
|
// +optional
|
||||||
TLS *TLSSpec `json:"tls,omitempty"`
|
TLS *TLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
|
||||||
|
// for Kubernetes access.
|
||||||
|
type JWTTokenClaims struct {
|
||||||
|
// Groups is the name of the claim which should be read to extract the user's
|
||||||
|
// group membership from the JWT token. When not specified, it will default to "groups".
|
||||||
|
// +optional
|
||||||
|
Groups string `json:"groups"`
|
||||||
|
|
||||||
|
// Username is the name of the claim which should be read to extract the
|
||||||
|
// username from the JWT token. When not specified, it will default to "username".
|
||||||
|
// +optional
|
||||||
|
Username string `json:"username"`
|
||||||
|
}
|
||||||
|
|
||||||
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
// JWTAuthenticator describes the configuration of a JWT authenticator.
|
||||||
//
|
//
|
||||||
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
|
||||||
|
@ -92,6 +92,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
out.Claims = in.Claims
|
||||||
if in.TLS != nil {
|
if in.TLS != nil {
|
||||||
in, out := &in.TLS, &out.TLS
|
in, out := &in.TLS, &out.TLS
|
||||||
*out = new(TLSSpec)
|
*out = new(TLSSpec)
|
||||||
@ -133,6 +134,22 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTTokenClaims.
|
||||||
|
func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(JWTTokenClaims)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
@ -51,11 +51,21 @@ spec:
|
|||||||
description: Audience is the required value of the "aud" JWT claim.
|
description: Audience is the required value of the "aud" JWT claim.
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
groups_claim:
|
claims:
|
||||||
description: GroupsClaim is the name of the claim which should be
|
description: Claims allows customization of the claims that will be
|
||||||
read to extract the user's group membership from the JWT token.
|
mapped to user identity for Kubernetes access.
|
||||||
When not specified, it will default to "groups".
|
properties:
|
||||||
|
groups:
|
||||||
|
description: Groups is the name of the claim which should be read
|
||||||
|
to extract the user's group membership from the JWT token. When
|
||||||
|
not specified, it will default to "groups".
|
||||||
type: string
|
type: string
|
||||||
|
username:
|
||||||
|
description: Username is the name of the claim which should be
|
||||||
|
read to extract the username from the JWT token. When not specified,
|
||||||
|
it will default to "username".
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
issuer:
|
issuer:
|
||||||
description: Issuer is the OIDC issuer URL that will be used to discover
|
description: Issuer is the OIDC issuer URL that will be used to discover
|
||||||
public signing keys. Issuer is also used to validate the "iss" JWT
|
public signing keys. Issuer is also used to validate the "iss" JWT
|
||||||
@ -71,11 +81,6 @@ spec:
|
|||||||
If omitted, a default set of system roots will be trusted.
|
If omitted, a default set of system roots will be trusted.
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
username_claim:
|
|
||||||
description: UsernameClaim is the name of the claim which should be
|
|
||||||
read to extract the username from the JWT token. When not specified,
|
|
||||||
it will default to "username".
|
|
||||||
type: string
|
|
||||||
required:
|
required:
|
||||||
- audience
|
- audience
|
||||||
- issuer
|
- issuer
|
||||||
|
@ -169,11 +169,11 @@ func newJWTAuthenticator(spec *auth1alpha1.JWTAuthenticatorSpec) (*jwtAuthentica
|
|||||||
|
|
||||||
caFile = temp.Name()
|
caFile = temp.Name()
|
||||||
}
|
}
|
||||||
usernameClaim := spec.UsernameClaim
|
usernameClaim := spec.Claims.Username
|
||||||
if usernameClaim == "" {
|
if usernameClaim == "" {
|
||||||
usernameClaim = defaultUsernameClaim
|
usernameClaim = defaultUsernameClaim
|
||||||
}
|
}
|
||||||
groupsClaim := spec.GroupsClaim
|
groupsClaim := spec.Claims.Groups
|
||||||
if groupsClaim == "" {
|
if groupsClaim == "" {
|
||||||
groupsClaim = defaultGroupsClaim
|
groupsClaim = defaultGroupsClaim
|
||||||
}
|
}
|
||||||
|
@ -93,13 +93,17 @@ func TestController(t *testing.T) {
|
|||||||
Issuer: goodIssuer,
|
Issuer: goodIssuer,
|
||||||
Audience: goodAudience,
|
Audience: goodAudience,
|
||||||
TLS: tlsSpecFromTLSConfig(server.TLS),
|
TLS: tlsSpecFromTLSConfig(server.TLS),
|
||||||
UsernameClaim: "my-custom-username-claim",
|
Claims: auth1alpha1.JWTTokenClaims{
|
||||||
|
Username: "my-custom-username-claim",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
someJWTAuthenticatorSpecWithGroupsClaim := &auth1alpha1.JWTAuthenticatorSpec{
|
someJWTAuthenticatorSpecWithGroupsClaim := &auth1alpha1.JWTAuthenticatorSpec{
|
||||||
Issuer: goodIssuer,
|
Issuer: goodIssuer,
|
||||||
Audience: goodAudience,
|
Audience: goodAudience,
|
||||||
TLS: tlsSpecFromTLSConfig(server.TLS),
|
TLS: tlsSpecFromTLSConfig(server.TLS),
|
||||||
GroupsClaim: "my-custom-groups-claim",
|
Claims: auth1alpha1.JWTTokenClaims{
|
||||||
|
Groups: "my-custom-groups-claim",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
otherJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
|
otherJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{
|
||||||
Issuer: "https://some-other-issuer.com",
|
Issuer: "https://some-other-issuer.com",
|
||||||
@ -170,7 +174,7 @@ func TestController(t *testing.T) {
|
|||||||
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
|
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
|
||||||
},
|
},
|
||||||
wantCacheEntries: 1,
|
wantCacheEntries: 1,
|
||||||
wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.UsernameClaim,
|
wantUsernameClaim: someJWTAuthenticatorSpecWithUsernameClaim.Claims.Username,
|
||||||
runTestsOnResultingAuthenticator: true,
|
runTestsOnResultingAuthenticator: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -189,7 +193,7 @@ func TestController(t *testing.T) {
|
|||||||
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
|
`jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"="` + goodIssuer + `" "jwtAuthenticator"={"name":"test-name","namespace":"test-namespace"}`,
|
||||||
},
|
},
|
||||||
wantCacheEntries: 1,
|
wantCacheEntries: 1,
|
||||||
wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.GroupsClaim,
|
wantGroupsClaim: someJWTAuthenticatorSpecWithGroupsClaim.Claims.Groups,
|
||||||
runTestsOnResultingAuthenticator: true,
|
runTestsOnResultingAuthenticator: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -182,7 +182,7 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
|
|||||||
Audience: testEnv.CLITestUpstream.ClientID,
|
Audience: testEnv.CLITestUpstream.ClientID,
|
||||||
// The default UsernameClaim is "username" but the upstreams that we use for
|
// The default UsernameClaim is "username" but the upstreams that we use for
|
||||||
// integration tests won't necessarily have that claim, so use "sub" here.
|
// integration tests won't necessarily have that claim, so use "sub" here.
|
||||||
UsernameClaim: "sub",
|
Claims: auth1alpha1.JWTTokenClaims{Username: "sub"},
|
||||||
}
|
}
|
||||||
// If the test upstream does not have a CA bundle specified, then don't configure one in the
|
// If the test upstream does not have a CA bundle specified, then don't configure one in the
|
||||||
// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
|
// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
|
||||||
|
Loading…
Reference in New Issue
Block a user