add usernameExpression and groupsExpression to JWTAuthenticator CRD

apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl

@@ -137,15 +137,66 @@ type UserValidationRule struct {
 // JWTTokenClaims allows customization of the claims that will be mapped to user identity
 // for Kubernetes access.
 type JWTTokenClaims struct {
+	// username is the name of the claim which should be read to extract the
+	// username from the JWT token. When not specified, it will default to "username",
+	// unless usernameExpression is specified.
+	//
+	// Mutually exclusive with usernameExpression. Use either username or usernameExpression to
+	// determine the user's username from the JWT token.
+	// +optional
+	Username string `json:"username"`
+
+	// usernameExpression represents an expression which will be evaluated by CEL.
+	//
+	// The expression's result will become the user's username.
+	//
+	// The expression must produce a non-empty string value.
+	// If the expression uses 'claims.email', then 'claims.email_verified' must be used in
+	// the expression or extra[*].valueExpression or claimValidationRules[*].expression.
+	// An example claim validation rule expression that matches the validation automatically
+	// applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
+	// By explicitly comparing the value to true, we let type-checking see the result will be a boolean,
+	// and to make sure a non-boolean email_verified claim will be caught at runtime.
+	//
+	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
+	// - 'claims' is a map of claim names to claim values.
+	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
+	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+	//
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Mutually exclusive with username. Use either username or usernameExpression to
+	// determine the user's username from the JWT token.
+	// +optional
+	UsernameExpression string `json:"usernameExpression,omitempty"`
+
 	// groups is the name of the claim which should be read to extract the user's
-	// group membership from the JWT token. When not specified, it will default to "groups".
+	// group membership from the JWT token. When not specified, it will default to "groups",
+	// unless groupsExpression is specified.
+	//
+	// Mutually exclusive with groupsExpression. Use either groups or groupsExpression to
+	// determine the user's group membership from the JWT token.
 	// +optional
 	Groups string `json:"groups"`
 
-	// username is the name of the claim which should be read to extract the
-	// username from the JWT token. When not specified, it will default to "username".
+	// groupsExpression represents an expression which will be evaluated by CEL.
+	//
+	// The expression's result will become the user's group memberships.
+	//
+	// The expression must produce a string or string array value.
+	//  "", [], and null values are treated as the group mapping not being present.
+	//
+	// CEL expressions have access to the contents of the token claims, organized into CEL variable:
+	// - 'claims' is a map of claim names to claim values.
+	//   For example, a variable named 'sub' can be accessed as 'claims.sub'.
+	//   Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+	//
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Mutually exclusive with groups. Use either groups or groupsExpression to
+	// determine the user's group membership from the JWT token.
 	// +optional
-	Username string `json:"username"`
+	GroupsExpression string `json:"groupsExpression,omitempty"`
 
 	// extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration as documented in
 	// https://kubernetes.io/docs/reference/access-authn-authz/authentication. However, note that the