@@ -144,6 +144,14 @@ spec:
144144 x-kubernetes-validations :
145145 - message : domainPrefix is immutable
146146 rule : self == oldSelf
147+ enableExternalAuthProviders :
148+ default : false
149+ description : EnableExternalAuthProviders enables external authentication
150+ configuration for the cluster.
151+ type : boolean
152+ x-kubernetes-validations :
153+ - message : enableExternalAuthProviders is immutable
154+ rule : self == oldSelf
147155 endpointAccess :
148156 default : Public
149157 description : EndpointAccess specifies the publishing scope of cluster
@@ -157,6 +165,231 @@ spec:
157165 encrypt etcd. The key itself needs to be created out-of-band by
158166 the user and tagged with `red-hat:true`.
159167 type : string
168+ externalAuthProviders :
169+ description : " ExternalAuthProviders are external OIDC identity providers
170+ that can issue tokens for this cluster. Can only be set if \" enableExternalAuthProviders\"
171+ is set to \" True\" . \n At most one provider can be configured."
172+ items :
173+ description : ExternalAuthProvider is an external OIDC identity provider
174+ that can issue tokens for this cluster
175+ properties :
176+ claimMappings :
177+ description : ClaimMappings describes rules on how to transform
178+ information from an ID token into a cluster identity
179+ properties :
180+ groups :
181+ description : Groups is a name of the claim that should be
182+ used to construct groups for the cluster identity. The
183+ referenced claim must use array of strings values.
184+ properties :
185+ claim :
186+ description : Claim is a JWT token claim to be used in
187+ the mapping
188+ type : string
189+ prefix :
190+ description : " Prefix is a string to prefix the value
191+ from the token in the result of the claim mapping.
192+ \n By default, no prefixing occurs. \n Example: if
193+ `prefix` is set to \" myoidc:\"\" and the `claim` in
194+ JWT contains an array of strings \" a\" , \" b\" and
195+ \ \" c\" , the mapping will result in an array of string
196+ \" myoidc:a\" , \" myoidc:b\" and \" myoidc:c\" ."
197+ type : string
198+ required :
199+ - claim
200+ type : object
201+ username :
202+ description : " Username is a name of the claim that should
203+ be used to construct usernames for the cluster identity.
204+ \n Default value: \" sub\" "
205+ properties :
206+ claim :
207+ description : Claim is a JWT token claim to be used in
208+ the mapping
209+ type : string
210+ prefix :
211+ description : Prefix is prepended to claim to prevent
212+ clashes with existing names.
213+ minLength : 1
214+ type : string
215+ prefixPolicy :
216+ description : " PrefixPolicy specifies how a prefix should
217+ apply. \n By default, claims other than `email` will
218+ be prefixed with the issuer URL to prevent naming
219+ clashes with other plugins. \n Set to \" NoPrefix\"
220+ to disable prefixing. \n Example: (1) `prefix` is
221+ set to \" myoidc:\" and `claim` is set to \" username\" .
222+ If the JWT claim `username` contains value `userA`,
223+ the resulting mapped value will be \" myoidc:userA\" .
224+ (2) `prefix` is set to \" myoidc:\" and `claim` is
225+ set to \" email\" . If the JWT `email` claim contains
226+ value \" userA@myoidc.tld\" , the resulting mapped value
227+ will be \" myoidc:userA@myoidc.tld\" . (3) `prefix`
228+ is unset, `issuerURL` is set to `https://myoidc.tld`,
229+ the JWT claims include \" username\" :\" userA\" and
230+ \" email\" :\" userA@myoidc.tld\" , and `claim` is set
231+ to: (a) \" username\" : the mapped value will be \" https://myoidc.tld#userA\"
232+ (b) \" email\" : the mapped value will be \" userA@myoidc.tld\" "
233+ enum :
234+ - " "
235+ - NoPrefix
236+ - Prefix
237+ type : string
238+ required :
239+ - claim
240+ type : object
241+ x-kubernetes-validations :
242+ - message : prefix must be set if prefixPolicy is 'Prefix',
243+ but must remain unset otherwise
244+ rule : ' self.prefixPolicy == '' Prefix'' ? has(self.prefix)
245+ : !has(self.prefix)'
246+ type : object
247+ claimValidationRules :
248+ description : ClaimValidationRules are rules that are applied
249+ to validate token claims to authenticate users.
250+ items :
251+ description : TokenClaimValidationRule validates token claims
252+ to authenticate users.
253+ properties :
254+ requiredClaim :
255+ description : RequiredClaim allows configuring a required
256+ claim name and its expected value
257+ properties :
258+ claim :
259+ description : Claim is a name of a required claim.
260+ Only claims with string values are supported.
261+ minLength : 1
262+ type : string
263+ requiredValue :
264+ description : RequiredValue is the required value for
265+ the claim.
266+ minLength : 1
267+ type : string
268+ required :
269+ - claim
270+ - requiredValue
271+ type : object
272+ type :
273+ default : RequiredClaim
274+ description : Type sets the type of the validation rule
275+ enum :
276+ - RequiredClaim
277+ type : string
278+ required :
279+ - requiredClaim
280+ - type
281+ type : object
282+ type : array
283+ x-kubernetes-list-type : atomic
284+ issuer :
285+ description : Issuer describes attributes of the OIDC token issuer
286+ properties :
287+ audiences :
288+ description : Audiences is an array of audiences that the
289+ token was issued for. Valid tokens must include at least
290+ one of these values in their "aud" claim. Must be set
291+ to exactly one value.
292+ items :
293+ description : TokenAudience is the audience that the token
294+ was issued for.
295+ minLength : 1
296+ type : string
297+ maxItems : 10
298+ minItems : 1
299+ type : array
300+ x-kubernetes-list-type : set
301+ issuerCertificateAuthority :
302+ description : CertificateAuthority is a reference to a config
303+ map in the configuration namespace. The .data of the configMap
304+ must contain the "ca-bundle.crt" key. If unset, system
305+ trust is used instead.
306+ properties :
307+ name :
308+ description : ' Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
309+ TODO: Add other useful fields. apiVersion, kind, uid?'
310+ type : string
311+ type : object
312+ x-kubernetes-map-type : atomic
313+ issuerURL :
314+ description : URL is the serving URL of the token issuer.
315+ Must use the https:// scheme.
316+ pattern : ^https:\/\/[^\s]
317+ type : string
318+ required :
319+ - audiences
320+ - issuerURL
321+ type : object
322+ name :
323+ description : Name of the OIDC provider
324+ minLength : 1
325+ type : string
326+ oidcClients :
327+ description : OIDCClients contains configuration for the platform's
328+ clients that need to request tokens from the issuer
329+ items :
330+ description : OIDCClientConfig contains configuration for the
331+ platform's client that need to request tokens from the issuer.
332+ properties :
333+ clientID :
334+ description : ClientID is the identifier of the OIDC client
335+ from the OIDC provider
336+ minLength : 1
337+ type : string
338+ clientSecret :
339+ description : ClientSecret refers to a secret that contains
340+ the client secret in the `clientSecret` key of the `.data`
341+ field
342+ properties :
343+ name :
344+ description : name is unique within a namespace to
345+ reference a secret resource.
346+ type : string
347+ namespace :
348+ description : namespace defines the space within which
349+ the secret name must be unique.
350+ type : string
351+ type : object
352+ x-kubernetes-map-type : atomic
353+ componentName :
354+ description : ComponentName is the name of the component
355+ that is supposed to consume this client configuration
356+ maxLength : 256
357+ minLength : 1
358+ type : string
359+ componentNamespace :
360+ description : ComponentNamespace is the namespace of the
361+ component that is supposed to consume this client configuration
362+ maxLength : 63
363+ minLength : 1
364+ type : string
365+ extraScopes :
366+ description : ExtraScopes is an optional set of scopes
367+ to request tokens with.
368+ items :
369+ type : string
370+ type : array
371+ x-kubernetes-list-type : set
372+ required :
373+ - clientID
374+ - clientSecret
375+ - componentName
376+ - componentNamespace
377+ type : object
378+ maxItems : 20
379+ type : array
380+ x-kubernetes-list-map-keys :
381+ - componentNamespace
382+ - componentName
383+ x-kubernetes-list-type : map
384+ required :
385+ - issuer
386+ - name
387+ type : object
388+ maxItems : 1
389+ type : array
390+ x-kubernetes-list-map-keys :
391+ - name
392+ x-kubernetes-list-type : map
160393 identityRef :
161394 description : IdentityRef is a reference to an identity to be used
162395 when reconciling the managed control plane. If no identity is specified,
@@ -213,8 +446,11 @@ spec:
213446 type : string
214447 type : object
215448 oidcID :
216- description : The ID of the OpenID Connect Provider.
449+ description : The ID of the internal OpenID Connect Provider.
217450 type : string
451+ x-kubernetes-validations :
452+ - message : oidcID is immutable
453+ rule : self == oldSelf
218454 provisionShardID :
219455 description : ProvisionShardID defines the shard where rosa control
220456 plane components will be hosted.
0 commit comments