|
| 1 | +apiVersion: apiextensions.k8s.io/v1 |
| 2 | +kind: CustomResourceDefinition |
| 3 | +metadata: |
| 4 | + annotations: |
| 5 | + api-approved.openshift.io: https://github.com/openshift/api/pull/470 |
| 6 | + api.openshift.io/merged-by-featuregates: "true" |
| 7 | + include.release.openshift.io/self-managed-high-availability: "true" |
| 8 | + release.openshift.io/bootstrap-required: "true" |
| 9 | + release.openshift.io/feature-set: OKD |
| 10 | + name: authentications.config.openshift.io |
| 11 | +spec: |
| 12 | + group: config.openshift.io |
| 13 | + names: |
| 14 | + kind: Authentication |
| 15 | + listKind: AuthenticationList |
| 16 | + plural: authentications |
| 17 | + singular: authentication |
| 18 | + scope: Cluster |
| 19 | + versions: |
| 20 | + - name: v1 |
| 21 | + schema: |
| 22 | + openAPIV3Schema: |
| 23 | + description: |- |
| 24 | + Authentication specifies cluster-wide settings for authentication (like OAuth and |
| 25 | + webhook token authenticators). The canonical name of an instance is `cluster`. |
| 26 | +
|
| 27 | + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). |
| 28 | + properties: |
| 29 | + apiVersion: |
| 30 | + description: |- |
| 31 | + APIVersion defines the versioned schema of this representation of an object. |
| 32 | + Servers should convert recognized schemas to the latest internal value, and |
| 33 | + may reject unrecognized values. |
| 34 | + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
| 35 | + type: string |
| 36 | + kind: |
| 37 | + description: |- |
| 38 | + Kind is a string value representing the REST resource this object represents. |
| 39 | + Servers may infer this from the endpoint the client submits requests to. |
| 40 | + Cannot be updated. |
| 41 | + In CamelCase. |
| 42 | + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| 43 | + type: string |
| 44 | + metadata: |
| 45 | + type: object |
| 46 | + spec: |
| 47 | + description: spec holds user settable values for configuration |
| 48 | + properties: |
| 49 | + oauthMetadata: |
| 50 | + description: |- |
| 51 | + oauthMetadata contains the discovery endpoint data for OAuth 2.0 |
| 52 | + Authorization Server Metadata for an external OAuth server. |
| 53 | + This discovery document can be viewed from its served location: |
| 54 | + oc get --raw '/.well-known/oauth-authorization-server' |
| 55 | + For further details, see the IETF Draft: |
| 56 | + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 |
| 57 | + If oauthMetadata.name is non-empty, this value has precedence |
| 58 | + over any metadata reference stored in status. |
| 59 | + The key "oauthMetadata" is used to locate the data. |
| 60 | + If specified and the config map or expected key is not found, no metadata is served. |
| 61 | + If the specified metadata is not valid, no metadata is served. |
| 62 | + The namespace for this config map is openshift-config. |
| 63 | + properties: |
| 64 | + name: |
| 65 | + description: name is the metadata.name of the referenced config |
| 66 | + map |
| 67 | + type: string |
| 68 | + required: |
| 69 | + - name |
| 70 | + type: object |
| 71 | + serviceAccountIssuer: |
| 72 | + description: |- |
| 73 | + serviceAccountIssuer is the identifier of the bound service account token |
| 74 | + issuer. |
| 75 | + The default is https://kubernetes.default.svc |
| 76 | + WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the |
| 77 | + previous issuer value. Instead, the tokens issued by previous service account issuer will continue to |
| 78 | + be trusted for a time period chosen by the platform (currently set to 24h). |
| 79 | + This time period is subject to change over time. |
| 80 | + This allows internal components to transition to use new service account issuer without service distruption. |
| 81 | + type: string |
| 82 | + type: |
| 83 | + description: |- |
| 84 | + type identifies the cluster managed, user facing authentication mode in use. |
| 85 | + Specifically, it manages the component that responds to login attempts. |
| 86 | + The default is IntegratedOAuth. |
| 87 | + enum: |
| 88 | + - "" |
| 89 | + - None |
| 90 | + - IntegratedOAuth |
| 91 | + type: string |
| 92 | + webhookTokenAuthenticator: |
| 93 | + description: |- |
| 94 | + webhookTokenAuthenticator configures a remote token reviewer. |
| 95 | + These remote authentication webhooks can be used to verify bearer tokens |
| 96 | + via the tokenreviews.authentication.k8s.io REST API. This is required to |
| 97 | + honor bearer tokens that are provisioned by an external authentication service. |
| 98 | +
|
| 99 | + Can only be set if "Type" is set to "None". |
| 100 | + properties: |
| 101 | + kubeConfig: |
| 102 | + description: |- |
| 103 | + kubeConfig references a secret that contains kube config file data which |
| 104 | + describes how to access the remote webhook service. |
| 105 | + The namespace for the referenced secret is openshift-config. |
| 106 | +
|
| 107 | + For further details, see: |
| 108 | +
|
| 109 | + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication |
| 110 | +
|
| 111 | + The key "kubeConfig" is used to locate the data. |
| 112 | + If the secret or expected key is not found, the webhook is not honored. |
| 113 | + If the specified kube config data is not valid, the webhook is not honored. |
| 114 | + properties: |
| 115 | + name: |
| 116 | + description: name is the metadata.name of the referenced secret |
| 117 | + type: string |
| 118 | + required: |
| 119 | + - name |
| 120 | + type: object |
| 121 | + required: |
| 122 | + - kubeConfig |
| 123 | + type: object |
| 124 | + webhookTokenAuthenticators: |
| 125 | + description: webhookTokenAuthenticators is DEPRECATED, setting it |
| 126 | + has no effect. |
| 127 | + items: |
| 128 | + description: |- |
| 129 | + deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. |
| 130 | + It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. |
| 131 | + properties: |
| 132 | + kubeConfig: |
| 133 | + description: |- |
| 134 | + kubeConfig contains kube config file data which describes how to access the remote webhook service. |
| 135 | + For further details, see: |
| 136 | + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication |
| 137 | + The key "kubeConfig" is used to locate the data. |
| 138 | + If the secret or expected key is not found, the webhook is not honored. |
| 139 | + If the specified kube config data is not valid, the webhook is not honored. |
| 140 | + The namespace for this secret is determined by the point of use. |
| 141 | + properties: |
| 142 | + name: |
| 143 | + description: name is the metadata.name of the referenced |
| 144 | + secret |
| 145 | + type: string |
| 146 | + required: |
| 147 | + - name |
| 148 | + type: object |
| 149 | + type: object |
| 150 | + type: array |
| 151 | + x-kubernetes-list-type: atomic |
| 152 | + type: object |
| 153 | + status: |
| 154 | + description: status holds observed values from the cluster. They may not |
| 155 | + be overridden. |
| 156 | + properties: |
| 157 | + integratedOAuthMetadata: |
| 158 | + description: |- |
| 159 | + integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 |
| 160 | + Authorization Server Metadata for the in-cluster integrated OAuth server. |
| 161 | + This discovery document can be viewed from its served location: |
| 162 | + oc get --raw '/.well-known/oauth-authorization-server' |
| 163 | + For further details, see the IETF Draft: |
| 164 | + https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 |
| 165 | + This contains the observed value based on cluster state. |
| 166 | + An explicitly set value in spec.oauthMetadata has precedence over this field. |
| 167 | + This field has no meaning if authentication spec.type is not set to IntegratedOAuth. |
| 168 | + The key "oauthMetadata" is used to locate the data. |
| 169 | + If the config map or expected key is not found, no metadata is served. |
| 170 | + If the specified metadata is not valid, no metadata is served. |
| 171 | + The namespace for this config map is openshift-config-managed. |
| 172 | + properties: |
| 173 | + name: |
| 174 | + description: name is the metadata.name of the referenced config |
| 175 | + map |
| 176 | + type: string |
| 177 | + required: |
| 178 | + - name |
| 179 | + type: object |
| 180 | + type: object |
| 181 | + required: |
| 182 | + - spec |
| 183 | + type: object |
| 184 | + served: true |
| 185 | + storage: true |
| 186 | + subresources: |
| 187 | + status: {} |
0 commit comments