1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/470
6 include.release.openshift.io/ibm-cloud-managed: "true"
7 include.release.openshift.io/self-managed-high-availability: "true"
8 include.release.openshift.io/single-node-developer: "true"
9 name: oauths.config.openshift.io
10spec:
11 group: config.openshift.io
12 names:
13 kind: OAuth
14 listKind: OAuthList
15 plural: oauths
16 singular: oauth
17 scope: Cluster
18 versions:
19 - name: v1
20 schema:
21 openAPIV3Schema:
22 description: "OAuth holds cluster-wide information about OAuth. The canonical name is `cluster`. It is used to configure the integrated OAuth server. This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
23 type: object
24 required:
25 - spec
26 properties:
27 apiVersion:
28 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
29 type: string
30 kind:
31 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
32 type: string
33 metadata:
34 type: object
35 spec:
36 description: spec holds user settable values for configuration
37 type: object
38 properties:
39 identityProviders:
40 description: identityProviders is an ordered list of ways for a user to identify themselves. When this list is empty, no identities are provisioned for users.
41 type: array
42 items:
43 description: IdentityProvider provides identities for users authenticating using credentials
44 type: object
45 properties:
46 basicAuth:
47 description: basicAuth contains configuration options for the BasicAuth IdP
48 type: object
49 properties:
50 ca:
51 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.
52 type: object
53 required:
54 - name
55 properties:
56 name:
57 description: name is the metadata.name of the referenced config map
58 type: string
59 tlsClientCert:
60 description: tlsClientCert is an optional reference to a secret by name that contains the PEM-encoded TLS client certificate to present when connecting to the server. The key "tls.crt" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.
61 type: object
62 required:
63 - name
64 properties:
65 name:
66 description: name is the metadata.name of the referenced secret
67 type: string
68 tlsClientKey:
69 description: tlsClientKey is an optional reference to a secret by name that contains the PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. The key "tls.key" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.
70 type: object
71 required:
72 - name
73 properties:
74 name:
75 description: name is the metadata.name of the referenced secret
76 type: string
77 url:
78 description: url is the remote URL to connect to
79 type: string
80 github:
81 description: github enables user authentication using GitHub credentials
82 type: object
83 properties:
84 ca:
85 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value. The namespace for this config map is openshift-config.
86 type: object
87 required:
88 - name
89 properties:
90 name:
91 description: name is the metadata.name of the referenced config map
92 type: string
93 clientID:
94 description: clientID is the oauth client ID
95 type: string
96 clientSecret:
97 description: clientSecret is a required reference to the secret by name containing the oauth client secret. The key "clientSecret" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.
98 type: object
99 required:
100 - name
101 properties:
102 name:
103 description: name is the metadata.name of the referenced secret
104 type: string
105 hostname:
106 description: hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of GitHub Enterprise. It must match the GitHub Enterprise settings value configured at /setup/settings#hostname.
107 type: string
108 organizations:
109 description: organizations optionally restricts which organizations are allowed to log in
110 type: array
111 items:
112 type: string
113 teams:
114 description: teams optionally restricts which teams are allowed to log in. Format is <org>/<team>.
115 type: array
116 items:
117 type: string
118 gitlab:
119 description: gitlab enables user authentication using GitLab credentials
120 type: object
121 properties:
122 ca:
123 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.
124 type: object
125 required:
126 - name
127 properties:
128 name:
129 description: name is the metadata.name of the referenced config map
130 type: string
131 clientID:
132 description: clientID is the oauth client ID
133 type: string
134 clientSecret:
135 description: clientSecret is a required reference to the secret by name containing the oauth client secret. The key "clientSecret" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.
136 type: object
137 required:
138 - name
139 properties:
140 name:
141 description: name is the metadata.name of the referenced secret
142 type: string
143 url:
144 description: url is the oauth server base URL
145 type: string
146 google:
147 description: google enables user authentication using Google credentials
148 type: object
149 properties:
150 clientID:
151 description: clientID is the oauth client ID
152 type: string
153 clientSecret:
154 description: clientSecret is a required reference to the secret by name containing the oauth client secret. The key "clientSecret" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.
155 type: object
156 required:
157 - name
158 properties:
159 name:
160 description: name is the metadata.name of the referenced secret
161 type: string
162 hostedDomain:
163 description: hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to
164 type: string
165 htpasswd:
166 description: htpasswd enables user authentication using an HTPasswd file to validate credentials
167 type: object
168 properties:
169 fileData:
170 description: fileData is a required reference to a secret by name containing the data to use as the htpasswd file. The key "htpasswd" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. If the specified htpasswd data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.
171 type: object
172 required:
173 - name
174 properties:
175 name:
176 description: name is the metadata.name of the referenced secret
177 type: string
178 keystone:
179 description: keystone enables user authentication using keystone password credentials
180 type: object
181 properties:
182 ca:
183 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.
184 type: object
185 required:
186 - name
187 properties:
188 name:
189 description: name is the metadata.name of the referenced config map
190 type: string
191 domainName:
192 description: domainName is required for keystone v3
193 type: string
194 tlsClientCert:
195 description: tlsClientCert is an optional reference to a secret by name that contains the PEM-encoded TLS client certificate to present when connecting to the server. The key "tls.crt" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.
196 type: object
197 required:
198 - name
199 properties:
200 name:
201 description: name is the metadata.name of the referenced secret
202 type: string
203 tlsClientKey:
204 description: tlsClientKey is an optional reference to a secret by name that contains the PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. The key "tls.key" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. If the specified certificate data is not valid, the identity provider is not honored. The namespace for this secret is openshift-config.
205 type: object
206 required:
207 - name
208 properties:
209 name:
210 description: name is the metadata.name of the referenced secret
211 type: string
212 url:
213 description: url is the remote URL to connect to
214 type: string
215 ldap:
216 description: ldap enables user authentication using LDAP credentials
217 type: object
218 properties:
219 attributes:
220 description: attributes maps LDAP attributes to identities
221 type: object
222 properties:
223 email:
224 description: email is the list of attributes whose values should be used as the email address. Optional. If unspecified, no email is set for the identity
225 type: array
226 items:
227 type: string
228 id:
229 description: id is the list of attributes whose values should be used as the user ID. Required. First non-empty attribute is used. At least one attribute is required. If none of the listed attribute have a value, authentication fails. LDAP standard identity attribute is "dn"
230 type: array
231 items:
232 type: string
233 name:
234 description: name is the list of attributes whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity LDAP standard display name attribute is "cn"
235 type: array
236 items:
237 type: string
238 preferredUsername:
239 description: preferredUsername is the list of attributes whose values should be used as the preferred username. LDAP standard login attribute is "uid"
240 type: array
241 items:
242 type: string
243 bindDN:
244 description: bindDN is an optional DN to bind with during the search phase.
245 type: string
246 bindPassword:
247 description: bindPassword is an optional reference to a secret by name containing a password to bind with during the search phase. The key "bindPassword" is used to locate the data. If specified and the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.
248 type: object
249 required:
250 - name
251 properties:
252 name:
253 description: name is the metadata.name of the referenced secret
254 type: string
255 ca:
256 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.
257 type: object
258 required:
259 - name
260 properties:
261 name:
262 description: name is the metadata.name of the referenced config map
263 type: string
264 insecure:
265 description: 'insecure, if true, indicates the connection should not use TLS WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always attempt to connect using TLS, even when `insecure` is set to `true` When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830.'
266 type: boolean
267 url:
268 description: 'url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is: ldap://host:port/basedn?attribute?scope?filter'
269 type: string
270 mappingMethod:
271 description: mappingMethod determines how identities from this provider are mapped to users Defaults to "claim"
272 type: string
273 name:
274 description: 'name is used to qualify the identities returned by this provider. - It MUST be unique and not shared by any other identity provider used - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName'
275 type: string
276 openID:
277 description: openID enables user authentication using OpenID credentials
278 type: object
279 properties:
280 ca:
281 description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. If empty, the default system roots are used. The namespace for this config map is openshift-config.
282 type: object
283 required:
284 - name
285 properties:
286 name:
287 description: name is the metadata.name of the referenced config map
288 type: string
289 claims:
290 description: claims mappings
291 type: object
292 properties:
293 email:
294 description: email is the list of claims whose values should be used as the email address. Optional. If unspecified, no email is set for the identity
295 type: array
296 items:
297 type: string
298 x-kubernetes-list-type: atomic
299 groups:
300 description: groups is the list of claims value of which should be used to synchronize groups from the OIDC provider to OpenShift for the user. If multiple claims are specified, the first one with a non-empty value is used.
301 type: array
302 items:
303 description: OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo responses
304 type: string
305 minLength: 1
306 x-kubernetes-list-type: atomic
307 name:
308 description: name is the list of claims whose values should be used as the display name. Optional. If unspecified, no display name is set for the identity
309 type: array
310 items:
311 type: string
312 x-kubernetes-list-type: atomic
313 preferredUsername:
314 description: preferredUsername is the list of claims whose values should be used as the preferred username. If unspecified, the preferred username is determined from the value of the sub claim
315 type: array
316 items:
317 type: string
318 x-kubernetes-list-type: atomic
319 clientID:
320 description: clientID is the oauth client ID
321 type: string
322 clientSecret:
323 description: clientSecret is a required reference to the secret by name containing the oauth client secret. The key "clientSecret" is used to locate the data. If the secret or expected key is not found, the identity provider is not honored. The namespace for this secret is openshift-config.
324 type: object
325 required:
326 - name
327 properties:
328 name:
329 description: name is the metadata.name of the referenced secret
330 type: string
331 extraAuthorizeParameters:
332 description: extraAuthorizeParameters are any custom parameters to add to the authorize request.
333 type: object
334 additionalProperties:
335 type: string
336 extraScopes:
337 description: extraScopes are any scopes to request in addition to the standard "openid" scope.
338 type: array
339 items:
340 type: string
341 issuer:
342 description: issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. It must use the https scheme with no query or fragment component.
343 type: string
344 requestHeader:
345 description: requestHeader enables user authentication using request header credentials
346 type: object
347 properties:
348 ca:
349 description: ca is a required reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. Specifically, it allows verification of incoming requests to prevent header spoofing. The key "ca.crt" is used to locate the data. If the config map or expected key is not found, the identity provider is not honored. If the specified ca data is not valid, the identity provider is not honored. The namespace for this config map is openshift-config.
350 type: object
351 required:
352 - name
353 properties:
354 name:
355 description: name is the metadata.name of the referenced config map
356 type: string
357 challengeURL:
358 description: challengeURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here. ${url} is replaced with the current URL, escaped to be safe in a query parameter https://www.example.com/sso-login?then=${url} ${query} is replaced with the current query string https://www.example.com/auth-proxy/oauth/authorize?${query} Required when challenge is set to true.
359 type: string
360 clientCommonNames:
361 description: clientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative.
362 type: array
363 items:
364 type: string
365 emailHeaders:
366 description: emailHeaders is the set of headers to check for the email address
367 type: array
368 items:
369 type: string
370 headers:
371 description: headers is the set of headers to check for identity information
372 type: array
373 items:
374 type: string
375 loginURL:
376 description: loginURL is a URL to redirect unauthenticated /authorize requests to Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here ${url} is replaced with the current URL, escaped to be safe in a query parameter https://www.example.com/sso-login?then=${url} ${query} is replaced with the current query string https://www.example.com/auth-proxy/oauth/authorize?${query} Required when login is set to true.
377 type: string
378 nameHeaders:
379 description: nameHeaders is the set of headers to check for the display name
380 type: array
381 items:
382 type: string
383 preferredUsernameHeaders:
384 description: preferredUsernameHeaders is the set of headers to check for the preferred username
385 type: array
386 items:
387 type: string
388 type:
389 description: type identifies the identity provider type for this entry.
390 type: string
391 x-kubernetes-list-type: atomic
392 templates:
393 description: templates allow you to customize pages like the login page.
394 type: object
395 properties:
396 error:
397 description: error is the name of a secret that specifies a go template to use to render error pages during the authentication or grant flow. The key "errors.html" is used to locate the template data. If specified and the secret or expected key is not found, the default error page is used. If the specified template is not valid, the default error page is used. If unspecified, the default error page is used. The namespace for this secret is openshift-config.
398 type: object
399 required:
400 - name
401 properties:
402 name:
403 description: name is the metadata.name of the referenced secret
404 type: string
405 login:
406 description: login is the name of a secret that specifies a go template to use to render the login page. The key "login.html" is used to locate the template data. If specified and the secret or expected key is not found, the default login page is used. If the specified template is not valid, the default login page is used. If unspecified, the default login page is used. The namespace for this secret is openshift-config.
407 type: object
408 required:
409 - name
410 properties:
411 name:
412 description: name is the metadata.name of the referenced secret
413 type: string
414 providerSelection:
415 description: providerSelection is the name of a secret that specifies a go template to use to render the provider selection page. The key "providers.html" is used to locate the template data. If specified and the secret or expected key is not found, the default provider selection page is used. If the specified template is not valid, the default provider selection page is used. If unspecified, the default provider selection page is used. The namespace for this secret is openshift-config.
416 type: object
417 required:
418 - name
419 properties:
420 name:
421 description: name is the metadata.name of the referenced secret
422 type: string
423 tokenConfig:
424 description: tokenConfig contains options for authorization and access tokens
425 type: object
426 properties:
427 accessTokenInactivityTimeout:
428 description: "accessTokenInactivityTimeout defines the token inactivity timeout for tokens granted by any client. The value represents the maximum amount of time that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. The user will need to acquire a new token to regain access once a token times out. Takes valid time duration string such as \"5m\", \"1.5h\" or \"2h45m\". The minimum allowed value for duration is 300s (5 minutes). If the timeout is configured per client, then that value takes precedence. If the timeout value is not specified and the client does not override the value, then tokens are valid until their lifetime. \n WARNING: existing tokens' timeout will not be affected (lowered) by changing this value"
429 type: string
430 accessTokenInactivityTimeoutSeconds:
431 description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect.'
432 type: integer
433 format: int32
434 accessTokenMaxAgeSeconds:
435 description: accessTokenMaxAgeSeconds defines the maximum age of access tokens
436 type: integer
437 format: int32
438 status:
439 description: status holds observed values from the cluster. They may not be overridden.
440 type: object
441 served: true
442 storage: true
443 subresources:
444 status: {}
View as plain text