Documentation ¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the authentication v1alpha1 API group +kubebuilder:object:generate=true +groupName=authentication.gardener.cloud
Index ¶
- Constants
- Variables
- type JWKSSpec
- type OIDCAuthenticationSpec
- type OIDCAuthenticationStatus
- type OpenIDConnect
- func (in *OpenIDConnect) DeepCopy() *OpenIDConnect
- func (in *OpenIDConnect) DeepCopyInto(out *OpenIDConnect)
- func (in *OpenIDConnect) DeepCopyObject() runtime.Object
- func (r *OpenIDConnect) Default()
- func (r *OpenIDConnect) ValidateCreate() (admission.Warnings, error)
- func (r *OpenIDConnect) ValidateDelete() (admission.Warnings, error)
- func (r *OpenIDConnect) ValidateUpdate(old runtime.Object) (admission.Warnings, error)
- type OpenIDConnectList
- type SigningAlgorithm
Constants ¶
const ( // ClaimPrefixingDisabled indicates that username or groups claim should not be // prefixed automatically. ClaimPrefixingDisabled = "-" // SystemPrefix is a forbidden prefix. Usernames and groups starting with this value will be ignored. SystemPrefix = "system:" )
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "authentication.gardener.cloud", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type JWKSSpec ¶
type JWKSSpec struct { // `keys` is a base64 encoded JSON webkey Set. If specified, the OIDCAuthenticator skips the request to the issuer's jwks_uri endpoint to retrieve the keys. Keys []byte `json:"keys,omitempty"` // +kubebuilder:default=true // `distributedClaims` enables the OIDCAuthenticator to return references to claims that are asserted by external Claims providers. DistributedClaims *bool `json:"distributedClaims,omitempty"` }
JWKSSpec defines the configuration for specifying JWKS keys offline.
func (*JWKSSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWKSSpec.
func (*JWKSSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCAuthenticationSpec ¶
type OIDCAuthenticationSpec struct { // IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" // field of all tokens produced by the provider and is used for configuration // discovery. // // The URL is usually the provider's URL without a path, for example // "https://foo.com" or "https://example.com". // // The provider must implement configuration discovery. // See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig IssuerURL string `json:"issuerURL"` // ClientID is the audience for which the JWT must be issued for, the "aud" field. // // The plugin supports the "authorized party" OpenID Connect claim, which allows // specialized providers to issue tokens to a client for a different client. // See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken ClientID string `json:"clientID"` // UsernameClaim is the JWT field to use as the user's username. UsernameClaim *string `json:"usernameClaim"` // UsernamePrefix, if specified, causes claims mapping to username to be prefix with // the provided value. A value "oidc:" would result in usernames like "oidc:john". // // If not provided, the prefix defaults to "( .metadata.name )/". // The value "-" can be used to disable all prefixing. UsernamePrefix *string `json:"usernamePrefix,omitempty"` // GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's // groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value // must be a string or list of strings. GroupsClaim *string `json:"groupsClaim,omitempty"` // GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the // value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing". // // If not provided, the prefix defaults to "( .metadata.name )/". // The value "-" can be used to disable all prefixing. GroupsPrefix *string `json:"groupsPrefix,omitempty"` // SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that // can be used by the provider to sign tokens. // // https://tools.ietf.org/html/rfc7518#section-3.1 // // This value defaults to RS256, the value recommended by the OpenID Connect // spec: // // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation SupportedSigningAlgs []SigningAlgorithm `json:"supportedSigningAlgs,omitempty"` // RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the // required claims key value pairs are present in the ID Token. RequiredClaims map[string]string `json:"requiredClaims,omitempty"` // ExtraClaims, if specified, causes the OIDCAuthenticator to copy listed claims to the // user Extra field. // Claims will be converted to lower case and prefixed with "gardener.cloud/user/" before being copied. // If any of the extra claims is not present in the token then the token will be rejected. ExtraClaims []string `json:"extraClaims,omitempty"` // CABundle is a PEM encoded CA bundle which will be used to validate the OpenID server's certificate. // If unspecified, system's trusted certificates are used. CABundle []byte `json:"caBundle,omitempty"` // JWKS if specified, provides an option to specify JWKS keys offline. JWKS JWKSSpec `json:"jwks,omitempty"` // MaxTokenExpirationSeconds if specified, sets a limit in seconds to the maximum validity duration of a token. // Tokens issued with validity greater that this value will not be verified. // Setting this will require that the tokens have the "iat" and "exp" claims. MaxTokenExpirationSeconds *int64 `json:"maxTokenExpirationSeconds,omitempty"` }
OIDCAuthenticationSpec defines the desired state of OpenIDConnect
func (*OIDCAuthenticationSpec) DeepCopy ¶
func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationSpec.
func (*OIDCAuthenticationSpec) DeepCopyInto ¶
func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCAuthenticationStatus ¶
type OIDCAuthenticationStatus struct{}
func (*OIDCAuthenticationStatus) DeepCopy ¶
func (in *OIDCAuthenticationStatus) DeepCopy() *OIDCAuthenticationStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationStatus.
func (*OIDCAuthenticationStatus) DeepCopyInto ¶
func (in *OIDCAuthenticationStatus) DeepCopyInto(out *OIDCAuthenticationStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OpenIDConnect ¶
type OpenIDConnect struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec OIDCAuthenticationSpec `json:"spec"` Status OIDCAuthenticationStatus `json:"status,omitempty"` }
OpenIDConnect allows to dynamically register OpenID Connect providers used to authenticate against the kube-apiserver.
func (*OpenIDConnect) DeepCopy ¶
func (in *OpenIDConnect) DeepCopy() *OpenIDConnect
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnect.
func (*OpenIDConnect) DeepCopyInto ¶
func (in *OpenIDConnect) DeepCopyInto(out *OpenIDConnect)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OpenIDConnect) DeepCopyObject ¶
func (in *OpenIDConnect) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*OpenIDConnect) Default ¶
func (r *OpenIDConnect) Default()
Default implements webhook.Defaulter so a webhook will be registered for the type
func (*OpenIDConnect) ValidateCreate ¶
func (r *OpenIDConnect) ValidateCreate() (admission.Warnings, error)
ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*OpenIDConnect) ValidateDelete ¶
func (r *OpenIDConnect) ValidateDelete() (admission.Warnings, error)
ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*OpenIDConnect) ValidateUpdate ¶
ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
type OpenIDConnectList ¶
type OpenIDConnectList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []OpenIDConnect `json:"items"` }
OpenIDConnectList contains a list of OpenIDConnect
func (*OpenIDConnectList) DeepCopy ¶
func (in *OpenIDConnectList) DeepCopy() *OpenIDConnectList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectList.
func (*OpenIDConnectList) DeepCopyInto ¶
func (in *OpenIDConnectList) DeepCopyInto(out *OpenIDConnectList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OpenIDConnectList) DeepCopyObject ¶
func (in *OpenIDConnectList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SigningAlgorithm ¶
type SigningAlgorithm string
SigningAlgorithm is JOSE asymmetric signing algorithm value as defined by RFC 7518
const ( // RS256 is RSASSA-PKCS-v1.5 using SHA-256 // This is the default value. RS256 SigningAlgorithm = "RS256" // RS384 is RSASSA-PKCS-v1.5 using SHA-384 RS384 SigningAlgorithm = "RS384" // RS512 is RSASSA-PKCS-v1.5 using SHA-512 RS512 SigningAlgorithm = "RS512" // ES256 is ECDSA using P-256 and SHA-256 ES256 SigningAlgorithm = "ES256" // ES384 is ECDSA using P-384 and SHA-384 ES384 SigningAlgorithm = "ES384" // ES512 is ECDSA using P-521 and SHA-512 ES512 SigningAlgorithm = "ES512" // PS256 is RSASSA-PSS using SHA256 and MGF1-SHA256 PS256 SigningAlgorithm = "PS256" // PS384 is RSASSA-PSS using SHA384 and MGF1-SHA384 PS384 SigningAlgorithm = "PS384" // PS512 is RSASSA-PSS using SHA512 and MGF1-SHA512 PS512 SigningAlgorithm = "PS512" )