{ "description": "JWTAuthenticator describes the configuration of a JWT authenticator.\n\nUpon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid\nsignature, existence of claims, etc.) and extract the username and groups from the token.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec for configuring the authenticator.", "properties": { "audience": { "description": "Audience is the required value of the \"aud\" JWT claim.", "minLength": 1, "type": "string" }, "claims": { "description": "Claims allows customization of the claims that will be mapped to user identity\nfor Kubernetes access.", "properties": { "groups": { "description": "Groups is the name of the claim which should be read to extract the user's\ngroup membership from the JWT token. When not specified, it will default to \"groups\".", "type": "string" }, "username": { "description": "Username is the name of the claim which should be read to extract the\nusername from the JWT token. When not specified, it will default to \"username\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "issuer": { "description": "Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is\nalso used to validate the \"iss\" JWT claim.", "minLength": 1, "pattern": "^https://", "type": "string" }, "tls": { "description": "TLS configuration for communicating with the OIDC provider.", "properties": { "certificateAuthorityData": { "description": "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", "type": "string" }, "certificateAuthorityDataSource": { "description": "Reference to a CA bundle in a secret or a configmap.\nAny changes to the CA bundle in the secret or configmap will be dynamically reloaded.", "properties": { "key": { "description": "Key is the key name within the secret or configmap from which to read the CA bundle.\nThe value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded\ncertificate bundle.", "minLength": 1, "type": "string" }, "kind": { "description": "Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.\nAllowed values are \"Secret\" or \"ConfigMap\".\n\"ConfigMap\" uses a Kubernetes configmap to source CA Bundles.\n\"Secret\" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.", "enum": [ "Secret", "ConfigMap" ], "type": "string" }, "name": { "description": "Name is the resource name of the secret or configmap from which to read the CA bundle.\nThe referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.", "minLength": 1, "type": "string" } }, "required": [ "key", "kind", "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "audience", "issuer" ], "type": "object", "additionalProperties": false }, "status": { "description": "Status of the authenticator.", "properties": { "conditions": { "description": "Represents the observations of the authenticator's current state.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "phase": { "default": "Pending", "description": "Phase summarizes the overall status of the JWTAuthenticator.", "enum": [ "Pending", "Ready", "Error" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }