1 package v1 2 3 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 4 5 // +genclient 6 // +genclient:nonNamespaced 7 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 8 9 // Authentication specifies cluster-wide settings for authentication (like OAuth and 10 // webhook token authenticators). The canonical name of an instance is `cluster`. 11 // 12 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 13 // +openshift:compatibility-gen:level=1 14 type Authentication struct { 15 metav1.TypeMeta `json:",inline"` 16 17 // metadata is the standard object's metadata. 18 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 19 metav1.ObjectMeta `json:"metadata,omitempty"` 20 21 // spec holds user settable values for configuration 22 // +kubebuilder:validation:Required 23 // +required 24 Spec AuthenticationSpec `json:"spec"` 25 // status holds observed values from the cluster. They may not be overridden. 26 // +optional 27 Status AuthenticationStatus `json:"status"` 28 } 29 30 type AuthenticationSpec struct { 31 // type identifies the cluster managed, user facing authentication mode in use. 32 // Specifically, it manages the component that responds to login attempts. 33 // The default is IntegratedOAuth. 34 // +optional 35 Type AuthenticationType `json:"type"` 36 37 // oauthMetadata contains the discovery endpoint data for OAuth 2.0 38 // Authorization Server Metadata for an external OAuth server. 39 // This discovery document can be viewed from its served location: 40 // oc get --raw '/.well-known/oauth-authorization-server' 41 // For further details, see the IETF Draft: 42 // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 43 // If oauthMetadata.name is non-empty, this value has precedence 44 // over any metadata reference stored in status. 45 // The key "oauthMetadata" is used to locate the data. 46 // If specified and the config map or expected key is not found, no metadata is served. 47 // If the specified metadata is not valid, no metadata is served. 48 // The namespace for this config map is openshift-config. 49 // +optional 50 OAuthMetadata ConfigMapNameReference `json:"oauthMetadata"` 51 52 // webhookTokenAuthenticators is DEPRECATED, setting it has no effect. 53 WebhookTokenAuthenticators []DeprecatedWebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"` 54 55 // webhookTokenAuthenticator configures a remote token reviewer. 56 // These remote authentication webhooks can be used to verify bearer tokens 57 // via the tokenreviews.authentication.k8s.io REST API. This is required to 58 // honor bearer tokens that are provisioned by an external authentication service. 59 // +optional 60 WebhookTokenAuthenticator *WebhookTokenAuthenticator `json:"webhookTokenAuthenticator,omitempty"` 61 62 // serviceAccountIssuer is the identifier of the bound service account token 63 // issuer. 64 // The default is https://kubernetes.default.svc 65 // WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the 66 // previous issuer value. Instead, the tokens issued by previous service account issuer will continue to 67 // be trusted for a time period chosen by the platform (currently set to 24h). 68 // This time period is subject to change over time. 69 // This allows internal components to transition to use new service account issuer without service distruption. 70 // +optional 71 ServiceAccountIssuer string `json:"serviceAccountIssuer"` 72 } 73 74 type AuthenticationStatus struct { 75 // integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 76 // Authorization Server Metadata for the in-cluster integrated OAuth server. 77 // This discovery document can be viewed from its served location: 78 // oc get --raw '/.well-known/oauth-authorization-server' 79 // For further details, see the IETF Draft: 80 // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 81 // This contains the observed value based on cluster state. 82 // An explicitly set value in spec.oauthMetadata has precedence over this field. 83 // This field has no meaning if authentication spec.type is not set to IntegratedOAuth. 84 // The key "oauthMetadata" is used to locate the data. 85 // If the config map or expected key is not found, no metadata is served. 86 // If the specified metadata is not valid, no metadata is served. 87 // The namespace for this config map is openshift-config-managed. 88 IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"` 89 90 // TODO if we add support for an in-cluster operator managed Keycloak instance 91 // KeycloakOAuthMetadata ConfigMapNameReference `json:"keycloakOAuthMetadata"` 92 } 93 94 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 95 96 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 97 // +openshift:compatibility-gen:level=1 98 type AuthenticationList struct { 99 metav1.TypeMeta `json:",inline"` 100 101 // metadata is the standard list's metadata. 102 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 103 metav1.ListMeta `json:"metadata"` 104 105 Items []Authentication `json:"items"` 106 } 107 108 type AuthenticationType string 109 110 const ( 111 // None means that no cluster managed authentication system is in place. 112 // Note that user login will only work if a manually configured system is in place and 113 // referenced in authentication spec via oauthMetadata and webhookTokenAuthenticators. 114 AuthenticationTypeNone AuthenticationType = "None" 115 116 // IntegratedOAuth refers to the cluster managed OAuth server. 117 // It is configured via the top level OAuth config. 118 AuthenticationTypeIntegratedOAuth AuthenticationType = "IntegratedOAuth" 119 120 // TODO if we add support for an in-cluster operator managed Keycloak instance 121 // AuthenticationTypeKeycloak AuthenticationType = "Keycloak" 122 ) 123 124 // deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. 125 // It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. 126 type DeprecatedWebhookTokenAuthenticator struct { 127 // kubeConfig contains kube config file data which describes how to access the remote webhook service. 128 // For further details, see: 129 // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication 130 // The key "kubeConfig" is used to locate the data. 131 // If the secret or expected key is not found, the webhook is not honored. 132 // If the specified kube config data is not valid, the webhook is not honored. 133 // The namespace for this secret is determined by the point of use. 134 KubeConfig SecretNameReference `json:"kubeConfig"` 135 } 136 137 // webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator 138 type WebhookTokenAuthenticator struct { 139 // kubeConfig references a secret that contains kube config file data which 140 // describes how to access the remote webhook service. 141 // The namespace for the referenced secret is openshift-config. 142 // 143 // For further details, see: 144 // 145 // https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication 146 // 147 // The key "kubeConfig" is used to locate the data. 148 // If the secret or expected key is not found, the webhook is not honored. 149 // If the specified kube config data is not valid, the webhook is not honored. 150 // +kubebuilder:validation:Required 151 // +required 152 KubeConfig SecretNameReference `json:"kubeConfig"` 153 } 154 155 const ( 156 // OAuthMetadataKey is the key for the oauth authorization server metadata 157 OAuthMetadataKey = "oauthMetadata" 158 159 // KubeConfigKey is the key for the kube config file data in a secret 160 KubeConfigKey = "kubeConfig" 161 ) 162