v1alpha1

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2025 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package v1alpha1 contains API Schema definitions for the authentication v1alpha1 API group +kubebuilder:object:generate=true +groupName=authentication.gardener.cloud

Index

Constants

View Source 
const (
	// ClaimPrefixingDisabled indicates that username or groups claim should not be
	// prefixed automatically.
	ClaimPrefixingDisabled = "-"

	// SystemPrefix is a forbidden prefix. Usernames and groups starting with this value will be ignored.
	SystemPrefix = "system:"
)

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "authentication.gardener.cloud", Version: "v1alpha1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type JWKSSpec 

type JWKSSpec struct {
	// `keys` is a base64 encoded JSON webkey Set. If specified, the OIDCAuthenticator skips the request to the issuer's jwks_uri endpoint to retrieve the keys.
	Keys []byte `json:"keys,omitempty"`

	// +kubebuilder:default=true
	// `distributedClaims` enables the OIDCAuthenticator to return references to claims that are asserted by external Claims providers.
	DistributedClaims *bool `json:"distributedClaims,omitempty"`
}

JWKSSpec defines the configuration for specifying JWKS keys offline.

func (*JWKSSpec) DeepCopy 

func (in *JWKSSpec) DeepCopy() *JWKSSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWKSSpec.

func (*JWKSSpec) DeepCopyInto 

func (in *JWKSSpec) DeepCopyInto(out *JWKSSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthenticationSpec 

type OIDCAuthenticationSpec struct {

	// IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
	// field of all tokens produced by the provider and is used for configuration
	// discovery.
	//
	// The URL is usually the provider's URL without a path, for example
	// "https://foo.com" or "https://example.com".
	//
	// The provider must implement configuration discovery.
	// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
	IssuerURL string `json:"issuerURL"`

	// ClientID is the audience for which the JWT must be issued for, the "aud" field.
	//
	// The plugin supports the "authorized party" OpenID Connect claim, which allows
	// specialized providers to issue tokens to a client for a different client.
	// See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
	ClientID string `json:"clientID"`

	// UsernameClaim is the JWT field to use as the user's username.
	UsernameClaim *string `json:"usernameClaim"`

	// UsernamePrefix, if specified, causes claims mapping to username to be prefix with
	// the provided value. A value "oidc:" would result in usernames like "oidc:john".
	//
	// If not provided, the prefix defaults to "( .metadata.name )/".
	// The value "-" can be used to disable all prefixing.
	UsernamePrefix *string `json:"usernamePrefix,omitempty"`

	// GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
	// groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
	// must be a string or list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty"`

	// GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
	// value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
	//
	// If not provided, the prefix defaults to "( .metadata.name )/".
	// The value "-" can be used to disable all prefixing.
	GroupsPrefix *string `json:"groupsPrefix,omitempty"`

	// SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that
	// can be used by the provider to sign tokens.
	//
	// https://tools.ietf.org/html/rfc7518#section-3.1
	//
	// This value defaults to RS256, the value recommended by the OpenID Connect
	// spec:
	//
	// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
	SupportedSigningAlgs []SigningAlgorithm `json:"supportedSigningAlgs,omitempty"`

	// RequiredClaims, if specified, causes the OIDCAuthenticator to verify that all the
	// required claims key value pairs are present in the ID Token.
	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`

	// ExtraClaims, if specified, causes the OIDCAuthenticator to copy listed claims to the
	// user Extra field.
	// Claims will be converted to lower case and prefixed with "gardener.cloud/user/" before being copied.
	// If any of the extra claims is not present in the token then the token will be rejected.
	ExtraClaims []string `json:"extraClaims,omitempty"`

	// CABundle is a PEM encoded CA bundle which will be used to validate the OpenID server's certificate.
	// If unspecified, system's trusted certificates are used.
	CABundle []byte `json:"caBundle,omitempty"`

	// JWKS if specified, provides an option to specify JWKS keys offline.
	JWKS JWKSSpec `json:"jwks,omitempty"`

	// MaxTokenExpirationSeconds if specified, sets a limit in seconds to the maximum validity duration of a token.
	// Tokens issued with validity greater that this value will not be verified.
	// Setting this will require that the tokens have the "iat" and "exp" claims.
	MaxTokenExpirationSeconds *int64 `json:"maxTokenExpirationSeconds,omitempty"`
}

OIDCAuthenticationSpec defines the desired state of OpenIDConnect

func (*OIDCAuthenticationSpec) DeepCopy 

func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationSpec.

func (*OIDCAuthenticationSpec) DeepCopyInto 

func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCAuthenticationStatus 

type OIDCAuthenticationStatus struct{}

OIDCAuthenticationStatus is the status of a OpenIDConnect resource.

func (*OIDCAuthenticationStatus) DeepCopy 

func (in *OIDCAuthenticationStatus) DeepCopy() *OIDCAuthenticationStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationStatus.

func (*OIDCAuthenticationStatus) DeepCopyInto 

func (in *OIDCAuthenticationStatus) DeepCopyInto(out *OIDCAuthenticationStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OpenIDConnect 

type OpenIDConnect struct {
	metav1.TypeMeta `json:",inline"`

	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   OIDCAuthenticationSpec   `json:"spec"`
	Status OIDCAuthenticationStatus `json:"status,omitempty"`
}

OpenIDConnect allows to dynamically register OpenID Connect providers used to authenticate against the kube-apiserver.

func (*OpenIDConnect) DeepCopy 

func (in *OpenIDConnect) DeepCopy() *OpenIDConnect

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnect.

func (*OpenIDConnect) DeepCopyInto 

func (in *OpenIDConnect) DeepCopyInto(out *OpenIDConnect)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OpenIDConnect) DeepCopyObject 

func (in *OpenIDConnect) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OpenIDConnectList 

type OpenIDConnectList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []OpenIDConnect `json:"items"`
}

OpenIDConnectList contains a list of OpenIDConnect

func (*OpenIDConnectList) DeepCopy 

func (in *OpenIDConnectList) DeepCopy() *OpenIDConnectList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectList.

func (*OpenIDConnectList) DeepCopyInto 

func (in *OpenIDConnectList) DeepCopyInto(out *OpenIDConnectList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OpenIDConnectList) DeepCopyObject 

func (in *OpenIDConnectList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type SigningAlgorithm 

type SigningAlgorithm string

SigningAlgorithm is JOSE asymmetric signing algorithm value as defined by RFC 7518 

const (
	// RS256 is RSASSA-PKCS-v1.5 using SHA-256
	// This is the default value.
	RS256 SigningAlgorithm = "RS256"
	// RS384 is RSASSA-PKCS-v1.5 using SHA-384
	RS384 SigningAlgorithm = "RS384"
	// RS512 is RSASSA-PKCS-v1.5 using SHA-512
	RS512 SigningAlgorithm = "RS512"
	// ES256 is ECDSA using P-256 and SHA-256
	ES256 SigningAlgorithm = "ES256"
	// ES384 is ECDSA using P-384 and SHA-384
	ES384 SigningAlgorithm = "ES384"
	// ES512 is ECDSA using P-521 and SHA-512
	ES512 SigningAlgorithm = "ES512"
	// PS256 is RSASSA-PSS using SHA256 and MGF1-SHA256
	PS256 SigningAlgorithm = "PS256"
	// PS384 is RSASSA-PSS using SHA384 and MGF1-SHA384
	PS384 SigningAlgorithm = "PS384"
	// PS512 is RSASSA-PSS using SHA512 and MGF1-SHA512
	PS512 SigningAlgorithm = "PS512"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.