mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
e824e74fcc1a022589c64cf1d13c1833a2fee4f5
pinniped/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
Ryan Richard 1623b2c46e ran codegen after update of kube-versions.txt
2025-08-28 12:34:05 -07:00

432 lines
24 KiB
YAML
Generated
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
names:
categories:
- pinniped
- pinniped-authenticator
- pinniped-authenticators
kind: JWTAuthenticator
listKind: JWTAuthenticatorList
plural: jwtauthenticators
singular: jwtauthenticator
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.issuer
name: Issuer
type: string
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
JWTAuthenticator describes the configuration of a JWT authenticator.
Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
signature, existence of claims, etc.) and extract the username and groups from the token.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec for configuring the authenticator.
properties:
audience:
description: audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
claimValidationRules:
description: |-
claimValidationRules are rules that are applied to validate token claims to authenticate users.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: ClaimValidationRule provides the configuration for
a single claim validation rule.
properties:
claim:
description: |-
claim is the name of a required claim.
Only string claim keys are supported.
Mutually exclusive with expression and message.
type: string
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must produce a boolean.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Must return true for the validation to pass.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with claim and requiredValue.
type: string
message:
description: |-
message customizes the returned error message when expression returns false.
message is a literal string.
Mutually exclusive with claim and requiredValue.
type: string
requiredValue:
description: |-
requiredValue is the value of a required claim.
Only string claim values are supported.
If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
Mutually exclusive with expression and message.
type: string
type: object
type: array
claims:
description: |-
claims allows customization of the claims that will be mapped to user identity
for Kubernetes access.
properties:
extra:
description: |-
extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
However, note that the Pinniped Concierge issues client certificates to users for the purpose
of authenticating, and the Kubernetes API server does not have any mechanism for transmitting
auth extras via client certificates. When configured, these extras will appear in client
certificates issued by the Pinniped Supervisor in the x509 Subject field as Organizational
Units (OU). However, when this client certificate is presented to Kubernetes for authentication,
Kubernetes will ignore these extras. This is probably only useful if you are using a custom
authenticating proxy in front of your Kubernetes API server which can translate these OUs into
auth extras, as described by
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to either a string or an array of strings, or else the user's login will fail.
These keys must be a domain-prefixed path (such as "acme.io/foo") and must not contain an equals sign ("=").
expression must produce a string or string array value.
If the value is empty, the extra mapping will not be present.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
hard-coded extra key/value
- key: "acme.io/foo"
valueExpression: "'bar'"
This will result in an extra attribute - acme.io/foo: ["bar"]
hard-coded key, value copying claim value
- key: "acme.io/foo"
valueExpression: "claims.some_claim"
This will result in an extra attribute - acme.io/foo: [value of some_claim]
hard-coded key, value derived from claim value
- key: "acme.io/admin"
valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
This will result in:
- if is_admin claim is present and true, extra attribute - acme.io/admin: ["true"]
- if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
items:
description: ExtraMapping provides the configuration for a single
extra mapping.
properties:
key:
description: |-
key is a string to use as the extra attribute key.
key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
subdomain as defined by RFC 1123. All characters trailing the first "/" must
be valid HTTP Path characters as defined by RFC 3986.
key must be lowercase.
Required to be unique.
Additionally, the key must not contain an equals sign ("=").
type: string
valueExpression:
description: |-
valueExpression is a CEL expression to extract extra attribute value.
valueExpression must produce a string or string array value.
"", [], and null values are treated as the extra mapping not being present.
Empty string values contained within a string array are filtered out.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
required:
- key
- valueExpression
type: object
type: array
groups:
description: |-
groups is the name of the claim which should be read to extract the user's
group membership from the JWT token. When not specified, it will default to "groups",
unless groupsExpression is specified.
Mutually exclusive with groupsExpression. Use either groups or groupsExpression to
determine the user's group membership from the JWT token.
type: string
groupsExpression:
description: |-
groupsExpression represents an expression which will be evaluated by CEL.
The expression's result will become the user's group memberships.
groupsExpression is similar to claimMappings.groups.expression from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to one of the expected types without errors, or else the user's login will fail.
Additionally, mistakes in this configuration can cause the users to have unintended group memberships.
The expression must produce a string or string array value.
"", [], and null values are treated as the group mapping not being present.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with groups. Use either groups or groupsExpression to
determine the user's group membership from the JWT token.
type: string
username:
description: |-
username is the name of the claim which should be read to extract the
username from the JWT token. When not specified, it will default to "username",
unless usernameExpression is specified.
Mutually exclusive with usernameExpression. Use either username or usernameExpression to
determine the user's username from the JWT token.
type: string
usernameExpression:
description: |-
usernameExpression represents an expression which will be evaluated by CEL.
The expression's result will become the user's username.
usernameExpression is similar to claimMappings.username.expression from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to the expected type without errors, or else the user's login will fail.
Additionally, mistakes in this configuration can cause the users to have unintended usernames.
The expression must produce a non-empty string value.
If the expression uses 'claims.email', then 'claims.email_verified' must be used in
the expression or extra[*].valueExpression or claimValidationRules[*].expression.
An example claim validation rule expression that matches the validation automatically
applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
By explicitly comparing the value to true, we let type-checking see the result will be a boolean,
and to make sure a non-boolean email_verified claim will be caught at runtime.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with username. Use either username or usernameExpression to
determine the user's username from the JWT token.
type: string
type: object
issuer:
description: |-
issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
tls:
description: tls is the configuration for communicating with the OIDC
provider via TLS.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userValidationRules:
description: |-
userValidationRules are rules that are applied to final user before completing authentication.
These allow invariants to be applied to incoming identities such as preventing the
use of the system: prefix that is commonly used by Kubernetes components.
The validation rules are logically ANDed together and must all return true for the validation to pass.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: UserValidationRule provides the configuration for a
single user info validation rule.
properties:
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must return true for the validation to pass.
CEL expressions have access to the contents of UserInfo, organized into CEL variable:
- 'user' - authentication.k8s.io/v1, Kind=UserInfo object
Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
message:
description: |-
message customizes the returned error message when rule returns false.
message is a literal string.
type: string
required:
- expression
type: object
type: array
required:
- audience
- issuer
type: object
status:
description: status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current
state.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the JWTAuthenticator.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
Reference in New Issue View Git Blame Copy Permalink