From 0e60c93cef2a707460f8e5069ae2bac96d38e18b Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 15 Dec 2020 10:36:19 -0800 Subject: [PATCH] Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec Signed-off-by: Margo Crawford --- .../authentication/v1alpha1/types_jwt.go.tmpl | 10 ++++++++++ ...ation.concierge.pinniped.dev_jwtauthenticators.yaml | 10 ++++++++++ generated/1.17/README.adoc | 2 ++ .../concierge/authentication/v1alpha1/types_jwt.go | 10 ++++++++++ ...ation.concierge.pinniped.dev_jwtauthenticators.yaml | 10 ++++++++++ generated/1.18/README.adoc | 2 ++ .../concierge/authentication/v1alpha1/types_jwt.go | 10 ++++++++++ ...ation.concierge.pinniped.dev_jwtauthenticators.yaml | 10 ++++++++++ generated/1.19/README.adoc | 2 ++ .../concierge/authentication/v1alpha1/types_jwt.go | 10 ++++++++++ ...ation.concierge.pinniped.dev_jwtauthenticators.yaml | 10 ++++++++++ 11 files changed, 86 insertions(+) diff --git a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl index 5d0604bd8..b08e82796 100644 --- a/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl +++ b/apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c5..0865ca3c1 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 0ccdd1df9..1f29282cc 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd8..1c43f68f3 100644 --- a/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.17/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c5..0865ca3c1 100644 --- a/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 97042b25d..2cef60f4f 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd8..1c43f68f3 100644 --- a/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.18/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c5..0865ca3c1 100644 --- a/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index edda33b88..bfb3c44fe 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -92,6 +92,8 @@ Spec for configuring a JWT authenticator. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. | *`audience`* __string__ | Audience is the required value of the "aud" JWT claim. +| *`username_claim`* __string__ | UsernameClaim is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username". +| *`groups_claim`* __string__ | GroupsClaim is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups". | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for communicating with the OIDC provider. |=== diff --git a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go index 5d0604bd8..1c43f68f3 100644 --- a/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go +++ b/generated/1.19/apis/concierge/authentication/v1alpha1/types_jwt.go @@ -27,6 +27,16 @@ type JWTAuthenticatorSpec struct { // +kubebuilder:validation:MinLength=1 Audience string `json:"audience"` + // UsernameClaim is the name of the claim which should be read to extract the + // username from the JWT token. When not specified, it will default to "username". + // +optional + UsernameClaim string `json:"username_claim"` + + // GroupsClaim is the name of the claim which should be read to extract the user's + // group membership from the JWT token. When not specified, it will default to "groups". + // +optional + GroupsClaim string `json:"groups_claim"` + // TLS configuration for communicating with the OIDC provider. // +optional TLS *TLSSpec `json:"tls,omitempty"` diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index ed16bf0c5..0865ca3c1 100644 --- a/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -51,6 +51,11 @@ spec: description: Audience is the required value of the "aud" JWT claim. minLength: 1 type: string + groups_claim: + description: GroupsClaim is the name of the claim which should be + read to extract the user's group membership from the JWT token. + When not specified, it will default to "groups". + type: string issuer: description: Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT @@ -66,6 +71,11 @@ spec: If omitted, a default set of system roots will be trusted. type: string type: object + username_claim: + description: UsernameClaim is the name of the claim which should be + read to extract the username from the JWT token. When not specified, + it will default to "username". + type: string required: - audience - issuer