--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev names: categories: - pinniped - pinniped-authenticator - pinniped-authenticators kind: JWTAuthenticator listKind: JWTAuthenticatorList plural: jwtauthenticators singular: jwtauthenticator scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.issuer name: Issuer type: string - jsonPath: .spec.audience name: Audience type: string - jsonPath: .status.phase name: Status type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: |- JWTAuthenticator describes the configuration of a JWT authenticator. Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: spec for configuring the authenticator. properties: audience: description: audience is the required value of the "aud" JWT claim. minLength: 1 type: string claimValidationRules: description: |- claimValidationRules are rules that are applied to validate token claims to authenticate users. This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication. This is an advanced configuration option. During an end-user login flow, mistakes in this configuration will cause the user's login to fail. items: description: ClaimValidationRule provides the configuration for a single claim validation rule. properties: claim: description: |- claim is the name of a required claim. Only string claim keys are supported. Mutually exclusive with expression and message. type: string expression: description: |- expression represents the expression which will be evaluated by CEL. Must produce a boolean. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Must return true for the validation to pass. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with claim and requiredValue. type: string message: description: |- message customizes the returned error message when expression returns false. message is a literal string. Mutually exclusive with claim and requiredValue. type: string requiredValue: description: |- requiredValue is the value of a required claim. Only string claim values are supported. If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string. Mutually exclusive with expression and message. type: string type: object type: array claims: description: |- claims allows customization of the claims that will be mapped to user identity for Kubernetes access. properties: extra: description: |- extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication. However, note that the Pinniped Concierge issues client certificates to users for the purpose of authenticating, and the Kubernetes API server does not have any mechanism for transmitting auth extras via client certificates. When configured, these extras will appear in client certificates issued by the Pinniped Supervisor in the x509 Subject field as Organizational Units (OU). However, when this client certificate is presented to Kubernetes for authentication, Kubernetes will ignore these extras. This is probably only useful if you are using a custom authenticating proxy in front of your Kubernetes API server which can translate these OUs into auth extras, as described by https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy. This is an advanced configuration option. During an end-user login flow, each of these CEL expressions must evaluate to either a string or an array of strings, or else the user's login will fail. These keys must be a domain-prefixed path (such as "acme.io/foo") and must not contain an equals sign ("="). expression must produce a string or string array value. If the value is empty, the extra mapping will not be present. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ hard-coded extra key/value - key: "acme.io/foo" valueExpression: "'bar'" This will result in an extra attribute - acme.io/foo: ["bar"] hard-coded key, value copying claim value - key: "acme.io/foo" valueExpression: "claims.some_claim" This will result in an extra attribute - acme.io/foo: [value of some_claim] hard-coded key, value derived from claim value - key: "acme.io/admin" valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""' This will result in: - if is_admin claim is present and true, extra attribute - acme.io/admin: ["true"] - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added items: description: ExtraMapping provides the configuration for a single extra mapping. properties: key: description: |- key is a string to use as the extra attribute key. key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid subdomain as defined by RFC 1123. All characters trailing the first "/" must be valid HTTP Path characters as defined by RFC 3986. key must be lowercase. Required to be unique. Additionally, the key must not contain an equals sign ("="). type: string valueExpression: description: |- valueExpression is a CEL expression to extract extra attribute value. valueExpression must produce a string or string array value. "", [], and null values are treated as the extra mapping not being present. Empty string values contained within a string array are filtered out. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ type: string required: - key - valueExpression type: object type: array groups: description: |- groups is the name of the claim which should be read to extract the user's group membership from the JWT token. When not specified, it will default to "groups", unless groupsExpression is specified. Mutually exclusive with groupsExpression. Use either groups or groupsExpression to determine the user's group membership from the JWT token. type: string groupsExpression: description: |- groupsExpression represents an expression which will be evaluated by CEL. The expression's result will become the user's group memberships. groupsExpression is similar to claimMappings.groups.expression from Kubernetes AuthenticationConfiguration as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication. This is an advanced configuration option. During an end-user login flow, each of these CEL expressions must evaluate to one of the expected types without errors, or else the user's login will fail. Additionally, mistakes in this configuration can cause the users to have unintended group memberships. The expression must produce a string or string array value. "", [], and null values are treated as the group mapping not being present. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with groups. Use either groups or groupsExpression to determine the user's group membership from the JWT token. type: string username: description: |- username is the name of the claim which should be read to extract the username from the JWT token. When not specified, it will default to "username", unless usernameExpression is specified. Mutually exclusive with usernameExpression. Use either username or usernameExpression to determine the user's username from the JWT token. type: string usernameExpression: description: |- usernameExpression represents an expression which will be evaluated by CEL. The expression's result will become the user's username. usernameExpression is similar to claimMappings.username.expression from Kubernetes AuthenticationConfiguration as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication. This is an advanced configuration option. During an end-user login flow, each of these CEL expressions must evaluate to the expected type without errors, or else the user's login will fail. Additionally, mistakes in this configuration can cause the users to have unintended usernames. The expression must produce a non-empty string value. If the expression uses 'claims.email', then 'claims.email_verified' must be used in the expression or extra[*].valueExpression or claimValidationRules[*].expression. An example claim validation rule expression that matches the validation automatically applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'. By explicitly comparing the value to true, we let type-checking see the result will be a boolean, and to make sure a non-boolean email_verified claim will be caught at runtime. CEL expressions have access to the contents of the token claims, organized into CEL variable: - 'claims' is a map of claim names to claim values. For example, a variable named 'sub' can be accessed as 'claims.sub'. Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Mutually exclusive with username. Use either username or usernameExpression to determine the user's username from the JWT token. type: string type: object issuer: description: |- issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string tls: description: tls is the configuration for communicating with the OIDC provider via TLS. properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string certificateAuthorityDataSource: description: |- Reference to a CA bundle in a secret or a configmap. Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. properties: key: description: |- Key is the key name within the secret or configmap from which to read the CA bundle. The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded certificate bundle. minLength: 1 type: string kind: description: |- Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. Allowed values are "Secret" or "ConfigMap". "ConfigMap" uses a Kubernetes configmap to source CA Bundles. "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. enum: - Secret - ConfigMap type: string name: description: |- Name is the resource name of the secret or configmap from which to read the CA bundle. The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. minLength: 1 type: string required: - key - kind - name type: object type: object userValidationRules: description: |- userValidationRules are rules that are applied to final user before completing authentication. These allow invariants to be applied to incoming identities such as preventing the use of the system: prefix that is commonly used by Kubernetes components. The validation rules are logically ANDed together and must all return true for the validation to pass. This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication. This is an advanced configuration option. During an end-user login flow, mistakes in this configuration will cause the user's login to fail. items: description: UserValidationRule provides the configuration for a single user info validation rule. properties: expression: description: |- expression represents the expression which will be evaluated by CEL. Must return true for the validation to pass. CEL expressions have access to the contents of UserInfo, organized into CEL variable: - 'user' - authentication.k8s.io/v1, Kind=UserInfo object Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition. API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ type: string message: description: |- message customizes the returned error message when rule returns false. message is a literal string. type: string required: - expression type: object type: array required: - audience - issuer type: object status: description: status of the authenticator. properties: conditions: description: Represents the observations of the authenticator's current state. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map phase: default: Pending description: Phase summarizes the overall status of the JWTAuthenticator. enum: - Pending - Ready - Error type: string type: object required: - spec type: object served: true storage: true subresources: status: {}