v1alpha1

package

v0.29.0 Latest Latest Go to latest Published: Mar 14, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gardener/oidc-webhook-authenticator

Links

Open Source Insights

Documentation ¶

Overview ¶

Package v1alpha1 contains API Schema definitions for the authentication v1alpha1 API group +kubebuilder:object:generate=true +groupName=authentication.gardener.cloud

Index ¶

Constants
Variables
type JWKSSpec
- func (in *JWKSSpec) DeepCopy() *JWKSSpec
- func (in *JWKSSpec) DeepCopyInto(out *JWKSSpec)
type OIDCAuthenticationSpec
- func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec
- func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec)
type OIDCAuthenticationStatus
- func (in *OIDCAuthenticationStatus) DeepCopy() *OIDCAuthenticationStatus
- func (in *OIDCAuthenticationStatus) DeepCopyInto(out *OIDCAuthenticationStatus)
type OpenIDConnect
type OpenIDConnectList
type SigningAlgorithm

Constants ¶

View Source

const (
	// ClaimPrefixingDisabled indicates that username or groups claim should not be
	// prefixed automatically.
	ClaimPrefixingDisabled = "-"

	// SystemPrefix is a forbidden prefix. Usernames and groups starting with this value will be ignored.
	SystemPrefix = "system:"
)

Variables ¶

View Source

var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "authentication.gardener.cloud", Version: "v1alpha1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions ¶

This section is empty.

Types ¶

type JWKSSpec ¶

type JWKSSpec struct {
	// `keys` is a base64 encoded JSON webkey Set. If specified, the OIDCAuthenticator skips the request to the issuer's jwks_uri endpoint to retrieve the keys.
	Keys []byte `json:"keys,omitempty"`

	// +kubebuilder:default=true
	// `distributedClaims` enables the OIDCAuthenticator to return references to claims that are asserted by external Claims providers.
	DistributedClaims *bool `json:"distributedClaims,omitempty"`
}

JWKSSpec defines the configuration for specifying JWKS keys offline.

func (*JWKSSpec) DeepCopy ¶

func (in *JWKSSpec) DeepCopy() *JWKSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWKSSpec.

func (*JWKSSpec) DeepCopyInto ¶

func (in *JWKSSpec) DeepCopyInto(out *JWKSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthenticationSpec ¶

type OIDCAuthenticationSpec struct {

	// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
	// field of all tokens produced by the provider and is used for configuration
	// discovery.
	//
	// The URL is usually the provider's URL without a path, for example
	// "https://foo.com" or "https://example.com".
	//
	// The provider must implement configuration discovery.
	// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
	IssuerURL string `json:"issuerURL"`

	// ClientID is the audience for which the JWT must be issued for, the "aud" field.
	//
	// The plugin supports the "authorized party" OpenID Connect claim, which allows
	// specialized providers to issue tokens to a client for a different client.
	// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
	ClientID string `json:"clientID"`

	// UsernameClaim is the JWT field to use as the user's username.
	UsernameClaim *string `json:"usernameClaim"`

	// UsernamePrefix, if specified, causes claims mapping to username to be prefix with
	// the provided value. A value "oidc:" would result in usernames like "oidc:john".
	//
	// If not provided, the prefix defaults to "( .metadata.name )/".
	// The value "-" can be used to disable all prefixing.
	UsernamePrefix *string `json:"usernamePrefix,omitempty"`

	// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
	// groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
	// must be a string or list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty"`

	// GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
	// value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
	//
	// If not provided, the prefix defaults to "( .metadata.name )/".
	// The value "-" can be used to disable all prefixing.
	GroupsPrefix *string `json:"groupsPrefix,omitempty"`

	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
	// can be used by the provider to sign tokens.
	//
	// https://tools.ietf.org/html/rfc7518#section-3.1
	//
	// This value defaults to RS256, the value recommended by the OpenID Connect
	// spec:
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
	SupportedSigningAlgs []SigningAlgorithm `json:"supportedSigningAlgs,omitempty"`

	// RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the
	// required claims key value pairs are present in the ID Token.
	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`

	// ExtraClaims, if specified, causes the OIDCAuthenticator to copy listed claims to the
	// user Extra field.
	// Claims will be converted to lower case and prefixed with "gardener.cloud/user/" before being copied.
	// If any of the extra claims is not present in the token then the token will be rejected.
	ExtraClaims []string `json:"extraClaims,omitempty"`

	// CABundle is a PEM encoded CA bundle which will be used to validate the OpenID server's certificate.
	// If unspecified, system's trusted certificates are used.
	CABundle []byte `json:"caBundle,omitempty"`

	// JWKS if specified, provides an option to specify JWKS keys offline.
	JWKS JWKSSpec `json:"jwks,omitempty"`

	// MaxTokenExpirationSeconds if specified, sets a limit in seconds to the maximum validity duration of a token.
	// Tokens issued with validity greater that this value will not be verified.
	// Setting this will require that the tokens have the "iat" and "exp" claims.
	MaxTokenExpirationSeconds *int64 `json:"maxTokenExpirationSeconds,omitempty"`
}

OIDCAuthenticationSpec defines the desired state of OpenIDConnect

func (*OIDCAuthenticationSpec) DeepCopy ¶

func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationSpec.

func (*OIDCAuthenticationSpec) DeepCopyInto ¶

func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthenticationStatus ¶

type OIDCAuthenticationStatus struct{}

func (*OIDCAuthenticationStatus) DeepCopy ¶

func (in *OIDCAuthenticationStatus) DeepCopy() *OIDCAuthenticationStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationStatus.

func (*OIDCAuthenticationStatus) DeepCopyInto ¶

func (in *OIDCAuthenticationStatus) DeepCopyInto(out *OIDCAuthenticationStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OpenIDConnect ¶

type OpenIDConnect struct {
	metav1.TypeMeta `json:",inline"`

	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   OIDCAuthenticationSpec   `json:"spec"`
	Status OIDCAuthenticationStatus `json:"status,omitempty"`
}

OpenIDConnect allows to dynamically register OpenID Connect providers used to authenticate against the kube-apiserver.

func (*OpenIDConnect) DeepCopy ¶

func (in *OpenIDConnect) DeepCopy() *OpenIDConnect

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnect.

func (*OpenIDConnect) DeepCopyInto ¶

func (in *OpenIDConnect) DeepCopyInto(out *OpenIDConnect)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OpenIDConnect) DeepCopyObject ¶

func (in *OpenIDConnect) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*OpenIDConnect) Default ¶

func (r *OpenIDConnect) Default()

Default implements webhook.Defaulter so a webhook will be registered for the type

func (*OpenIDConnect) ValidateCreate ¶

func (r *OpenIDConnect) ValidateCreate() (admission.Warnings, error)

ValidateCreate implements webhook.Validator so a webhook will be registered for the type

func (*OpenIDConnect) ValidateDelete ¶

func (r *OpenIDConnect) ValidateDelete() (admission.Warnings, error)

ValidateDelete implements webhook.Validator so a webhook will be registered for the type

func (*OpenIDConnect) ValidateUpdate ¶

func (r *OpenIDConnect) ValidateUpdate(old runtime.Object) (admission.Warnings, error)

ValidateUpdate implements webhook.Validator so a webhook will be registered for the type

type OpenIDConnectList ¶

type OpenIDConnectList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []OpenIDConnect `json:"items"`
}

OpenIDConnectList contains a list of OpenIDConnect

func (*OpenIDConnectList) DeepCopy ¶

func (in *OpenIDConnectList) DeepCopy() *OpenIDConnectList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectList.

func (*OpenIDConnectList) DeepCopyInto ¶

func (in *OpenIDConnectList) DeepCopyInto(out *OpenIDConnectList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OpenIDConnectList) DeepCopyObject ¶

func (in *OpenIDConnectList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type SigningAlgorithm ¶

type SigningAlgorithm string

SigningAlgorithm is JOSE asymmetric signing algorithm value as defined by RFC 7518

const (
	// RS256 is RSASSA-PKCS-v1.5 using SHA-256
	// This is the default value.
	RS256 SigningAlgorithm = "RS256"
	// RS384 is RSASSA-PKCS-v1.5 using SHA-384
	RS384 SigningAlgorithm = "RS384"
	// RS512 is RSASSA-PKCS-v1.5 using SHA-512
	RS512 SigningAlgorithm = "RS512"
	// ES256 is ECDSA using P-256 and SHA-256
	ES256 SigningAlgorithm = "ES256"
	// ES384 is ECDSA using P-384 and SHA-384
	ES384 SigningAlgorithm = "ES384"
	// ES512 is ECDSA using P-521 and SHA-512
	ES512 SigningAlgorithm = "ES512"
	// PS256 is RSASSA-PSS using SHA256 and MGF1-SHA256
	PS256 SigningAlgorithm = "PS256"
	// PS384 is RSASSA-PSS using SHA384 and MGF1-SHA384
	PS384 SigningAlgorithm = "PS384"
	// PS512 is RSASSA-PSS using SHA512 and MGF1-SHA512
	PS512 SigningAlgorithm = "PS512"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL