--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev names: categories: - pinniped - pinniped-authenticator - pinniped-authenticators kind: JWTAuthenticator listKind: JWTAuthenticatorList plural: jwtauthenticators singular: jwtauthenticator scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.issuer name: Issuer type: string name: v1alpha1 schema: openAPIV3Schema: description: "JWTAuthenticator describes the configuration of a JWT authenticator. \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token." properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec for configuring the authenticator. properties: audience: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string claims: description: Claims allows customization of the claims that will be mapped to user identity for Kubernetes access. properties: groups: description: Groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". type: string username: description: Username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string tls: description: TLS configuration for communicating with the OIDC provider. properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string type: object required: - audience - issuer type: object status: description: Status of the authenticator. properties: conditions: description: Represents the observations of the authenticator's current state. items: description: Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. properties: lastTransitionTime: description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map type: object required: - spec type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []