1 package v1 2 3 import ( 4 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 "k8s.io/apimachinery/pkg/runtime" 6 7 configv1 "github.com/openshift/api/config/v1" 8 ) 9 10 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 11 12 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 13 // +openshift:compatibility-gen:level=4 14 // +openshift:compatibility-gen:internal 15 type OsinServerConfig struct { 16 metav1.TypeMeta `json:",inline"` 17 18 // provides the standard apiserver configuration 19 configv1.GenericAPIServerConfig `json:",inline"` 20 21 // oauthConfig holds the necessary configuration options for OAuth authentication 22 OAuthConfig OAuthConfig `json:"oauthConfig"` 23 } 24 25 // OAuthConfig holds the necessary configuration options for OAuth authentication 26 type OAuthConfig struct { 27 // masterCA is the CA for verifying the TLS connection back to the MasterURL. 28 // This field is deprecated and will be removed in a future release. 29 // See loginURL for details. 30 // Deprecated 31 MasterCA *string `json:"masterCA"` 32 33 // masterURL is used for making server-to-server calls to exchange authorization codes for access tokens 34 // This field is deprecated and will be removed in a future release. 35 // See loginURL for details. 36 // Deprecated 37 MasterURL string `json:"masterURL"` 38 39 // masterPublicURL is used for building valid client redirect URLs for internal and external access 40 // This field is deprecated and will be removed in a future release. 41 // See loginURL for details. 42 // Deprecated 43 MasterPublicURL string `json:"masterPublicURL"` 44 45 // loginURL, along with masterCA, masterURL and masterPublicURL have distinct 46 // meanings depending on how the OAuth server is run. The two states are: 47 // 1. embedded in the kube api server (all 3.x releases) 48 // 2. as a standalone external process (all 4.x releases) 49 // in the embedded configuration, loginURL is equivalent to masterPublicURL 50 // and the other fields have functionality that matches their docs. 51 // in the standalone configuration, the fields are used as: 52 // loginURL is the URL required to login to the cluster: 53 // oc login --server=<loginURL> 54 // masterPublicURL is the issuer URL 55 // it is accessible from inside (service network) and outside (ingress) of the cluster 56 // masterURL is the loopback variation of the token_endpoint URL with no path component 57 // it is only accessible from inside (service network) of the cluster 58 // masterCA is used to perform TLS verification for connections made to masterURL 59 // For further details, see the IETF Draft: 60 // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 61 LoginURL string `json:"loginURL"` 62 63 // assetPublicURL is used for building valid client redirect URLs for external access 64 AssetPublicURL string `json:"assetPublicURL"` 65 66 // alwaysShowProviderSelection will force the provider selection page to render even when there is only a single provider. 67 AlwaysShowProviderSelection bool `json:"alwaysShowProviderSelection"` 68 69 //identityProviders is an ordered list of ways for a user to identify themselves 70 IdentityProviders []IdentityProvider `json:"identityProviders"` 71 72 // grantConfig describes how to handle grants 73 GrantConfig GrantConfig `json:"grantConfig"` 74 75 // sessionConfig hold information about configuring sessions. 76 SessionConfig *SessionConfig `json:"sessionConfig"` 77 78 // tokenConfig contains options for authorization and access tokens 79 TokenConfig TokenConfig `json:"tokenConfig"` 80 81 // templates allow you to customize pages like the login page. 82 Templates *OAuthTemplates `json:"templates"` 83 } 84 85 // OAuthTemplates allow for customization of pages like the login page 86 type OAuthTemplates struct { 87 // login is a path to a file containing a go template used to render the login page. 88 // If unspecified, the default login page is used. 89 Login string `json:"login"` 90 91 // providerSelection is a path to a file containing a go template used to render the provider selection page. 92 // If unspecified, the default provider selection page is used. 93 ProviderSelection string `json:"providerSelection"` 94 95 // error is a path to a file containing a go template used to render error pages during the authentication or grant flow 96 // If unspecified, the default error page is used. 97 Error string `json:"error"` 98 } 99 100 // IdentityProvider provides identities for users authenticating using credentials 101 type IdentityProvider struct { 102 // name is used to qualify the identities returned by this provider 103 Name string `json:"name"` 104 // challenge indicates whether to issue WWW-Authenticate challenges for this provider 105 UseAsChallenger bool `json:"challenge"` 106 // login indicates whether to use this identity provider for unauthenticated browsers to login against 107 UseAsLogin bool `json:"login"` 108 // mappingMethod determines how identities from this provider are mapped to users 109 MappingMethod string `json:"mappingMethod"` 110 // provider contains the information about how to set up a specific identity provider 111 // +kubebuilder:pruning:PreserveUnknownFields 112 Provider runtime.RawExtension `json:"provider"` 113 } 114 115 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 116 117 // BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials 118 // 119 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 120 // +openshift:compatibility-gen:level=4 121 // +openshift:compatibility-gen:internal 122 type BasicAuthPasswordIdentityProvider struct { 123 metav1.TypeMeta `json:",inline"` 124 125 // RemoteConnectionInfo contains information about how to connect to the external basic auth server 126 configv1.RemoteConnectionInfo `json:",inline"` 127 } 128 129 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 130 131 // AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords 132 // 133 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 134 // +openshift:compatibility-gen:level=4 135 // +openshift:compatibility-gen:internal 136 type AllowAllPasswordIdentityProvider struct { 137 metav1.TypeMeta `json:",inline"` 138 } 139 140 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 141 142 // DenyAllPasswordIdentityProvider provides no identities for users 143 // 144 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 145 // +openshift:compatibility-gen:level=4 146 // +openshift:compatibility-gen:internal 147 type DenyAllPasswordIdentityProvider struct { 148 metav1.TypeMeta `json:",inline"` 149 } 150 151 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 152 153 // HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials 154 // 155 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 156 // +openshift:compatibility-gen:level=4 157 // +openshift:compatibility-gen:internal 158 type HTPasswdPasswordIdentityProvider struct { 159 metav1.TypeMeta `json:",inline"` 160 161 // file is a reference to your htpasswd file 162 File string `json:"file"` 163 } 164 165 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 166 167 // LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials 168 // 169 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 170 // +openshift:compatibility-gen:level=4 171 // +openshift:compatibility-gen:internal 172 type LDAPPasswordIdentityProvider struct { 173 metav1.TypeMeta `json:",inline"` 174 // url is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is 175 // ldap://host:port/basedn?attribute?scope?filter 176 URL string `json:"url"` 177 // bindDN is an optional DN to bind with during the search phase. 178 BindDN string `json:"bindDN"` 179 // bindPassword is an optional password to bind with during the search phase. 180 BindPassword configv1.StringSource `json:"bindPassword"` 181 182 // insecure, if true, indicates the connection should not use TLS. 183 // Cannot be set to true with a URL scheme of "ldaps://" 184 // If false, "ldaps://" URLs connect using TLS, and "ldap://" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830 185 Insecure bool `json:"insecure"` 186 // ca is the optional trusted certificate authority bundle to use when making requests to the server 187 // If empty, the default system roots are used 188 CA string `json:"ca"` 189 // attributes maps LDAP attributes to identities 190 Attributes LDAPAttributeMapping `json:"attributes"` 191 } 192 193 // LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields 194 type LDAPAttributeMapping struct { 195 // id is the list of attributes whose values should be used as the user ID. Required. 196 // LDAP standard identity attribute is "dn" 197 ID []string `json:"id"` 198 // preferredUsername is the list of attributes whose values should be used as the preferred username. 199 // LDAP standard login attribute is "uid" 200 PreferredUsername []string `json:"preferredUsername"` 201 // name is the list of attributes whose values should be used as the display name. Optional. 202 // If unspecified, no display name is set for the identity 203 // LDAP standard display name attribute is "cn" 204 Name []string `json:"name"` 205 // email is the list of attributes whose values should be used as the email address. Optional. 206 // If unspecified, no email is set for the identity 207 Email []string `json:"email"` 208 } 209 210 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 211 212 // KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials 213 // 214 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 215 // +openshift:compatibility-gen:level=4 216 // +openshift:compatibility-gen:internal 217 type KeystonePasswordIdentityProvider struct { 218 metav1.TypeMeta `json:",inline"` 219 // RemoteConnectionInfo contains information about how to connect to the keystone server 220 configv1.RemoteConnectionInfo `json:",inline"` 221 // domainName is required for keystone v3 222 DomainName string `json:"domainName"` 223 // useKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username 224 UseKeystoneIdentity bool `json:"useKeystoneIdentity"` 225 } 226 227 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 228 229 // RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials 230 // 231 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 232 // +openshift:compatibility-gen:level=4 233 // +openshift:compatibility-gen:internal 234 type RequestHeaderIdentityProvider struct { 235 metav1.TypeMeta `json:",inline"` 236 237 // loginURL is a URL to redirect unauthenticated /authorize requests to 238 // Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here 239 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 240 // https://www.example.com/sso-login?then=${url} 241 // ${query} is replaced with the current query string 242 // https://www.example.com/auth-proxy/oauth/authorize?${query} 243 LoginURL string `json:"loginURL"` 244 245 // challengeURL is a URL to redirect unauthenticated /authorize requests to 246 // Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here 247 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 248 // https://www.example.com/sso-login?then=${url} 249 // ${query} is replaced with the current query string 250 // https://www.example.com/auth-proxy/oauth/authorize?${query} 251 ChallengeURL string `json:"challengeURL"` 252 253 // clientCA is a file with the trusted signer certs. If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header. 254 ClientCA string `json:"clientCA"` 255 // clientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative. 256 ClientCommonNames []string `json:"clientCommonNames"` 257 258 // headers is the set of headers to check for identity information 259 Headers []string `json:"headers"` 260 // preferredUsernameHeaders is the set of headers to check for the preferred username 261 PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"` 262 // nameHeaders is the set of headers to check for the display name 263 NameHeaders []string `json:"nameHeaders"` 264 // emailHeaders is the set of headers to check for the email address 265 EmailHeaders []string `json:"emailHeaders"` 266 } 267 268 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 269 270 // GitHubIdentityProvider provides identities for users authenticating using GitHub credentials 271 // 272 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 273 // +openshift:compatibility-gen:level=4 274 // +openshift:compatibility-gen:internal 275 type GitHubIdentityProvider struct { 276 metav1.TypeMeta `json:",inline"` 277 278 // clientID is the oauth client ID 279 ClientID string `json:"clientID"` 280 // clientSecret is the oauth client secret 281 ClientSecret configv1.StringSource `json:"clientSecret"` 282 // organizations optionally restricts which organizations are allowed to log in 283 Organizations []string `json:"organizations"` 284 // teams optionally restricts which teams are allowed to log in. Format is <org>/<team>. 285 Teams []string `json:"teams"` 286 // hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of GitHub Enterprise. 287 // It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname. 288 Hostname string `json:"hostname"` 289 // ca is the optional trusted certificate authority bundle to use when making requests to the server. 290 // If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value. 291 CA string `json:"ca"` 292 } 293 294 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 295 296 // GitLabIdentityProvider provides identities for users authenticating using GitLab credentials 297 // 298 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 299 // +openshift:compatibility-gen:level=4 300 // +openshift:compatibility-gen:internal 301 type GitLabIdentityProvider struct { 302 metav1.TypeMeta `json:",inline"` 303 304 // ca is the optional trusted certificate authority bundle to use when making requests to the server 305 // If empty, the default system roots are used 306 CA string `json:"ca"` 307 // url is the oauth server base URL 308 URL string `json:"url"` 309 // clientID is the oauth client ID 310 ClientID string `json:"clientID"` 311 // clientSecret is the oauth client secret 312 ClientSecret configv1.StringSource `json:"clientSecret"` 313 // legacy determines if OAuth2 or OIDC should be used 314 // If true, OAuth2 is used 315 // If false, OIDC is used 316 // If nil and the URL's host is gitlab.com, OIDC is used 317 // Otherwise, OAuth2 is used 318 // In a future release, nil will default to using OIDC 319 // Eventually this flag will be removed and only OIDC will be used 320 Legacy *bool `json:"legacy,omitempty"` 321 } 322 323 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 324 325 // GoogleIdentityProvider provides identities for users authenticating using Google credentials 326 // 327 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 328 // +openshift:compatibility-gen:level=4 329 // +openshift:compatibility-gen:internal 330 type GoogleIdentityProvider struct { 331 metav1.TypeMeta `json:",inline"` 332 333 // clientID is the oauth client ID 334 ClientID string `json:"clientID"` 335 // clientSecret is the oauth client secret 336 ClientSecret configv1.StringSource `json:"clientSecret"` 337 338 // hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to 339 HostedDomain string `json:"hostedDomain"` 340 } 341 342 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 343 344 // OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials 345 // 346 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 347 // +openshift:compatibility-gen:level=4 348 // +openshift:compatibility-gen:internal 349 type OpenIDIdentityProvider struct { 350 metav1.TypeMeta `json:",inline"` 351 352 // ca is the optional trusted certificate authority bundle to use when making requests to the server 353 // If empty, the default system roots are used 354 CA string `json:"ca"` 355 356 // clientID is the oauth client ID 357 ClientID string `json:"clientID"` 358 // clientSecret is the oauth client secret 359 ClientSecret configv1.StringSource `json:"clientSecret"` 360 361 // extraScopes are any scopes to request in addition to the standard "openid" scope. 362 ExtraScopes []string `json:"extraScopes"` 363 364 // extraAuthorizeParameters are any custom parameters to add to the authorize request. 365 ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters"` 366 367 // urls to use to authenticate 368 URLs OpenIDURLs `json:"urls"` 369 370 // claims mappings 371 Claims OpenIDClaims `json:"claims"` 372 } 373 374 // OpenIDURLs are URLs to use when authenticating with an OpenID identity provider 375 type OpenIDURLs struct { 376 // authorize is the oauth authorization URL 377 Authorize string `json:"authorize"` 378 // token is the oauth token granting URL 379 Token string `json:"token"` 380 // userInfo is the optional userinfo URL. 381 // If present, a granted access_token is used to request claims 382 // If empty, a granted id_token is parsed for claims 383 UserInfo string `json:"userInfo"` 384 } 385 386 // OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider 387 type OpenIDClaims struct { 388 // id is the list of claims whose values should be used as the user ID. Required. 389 // OpenID standard identity claim is "sub" 390 ID []string `json:"id"` 391 // preferredUsername is the list of claims whose values should be used as the preferred username. 392 // If unspecified, the preferred username is determined from the value of the id claim 393 PreferredUsername []string `json:"preferredUsername"` 394 // name is the list of claims whose values should be used as the display name. Optional. 395 // If unspecified, no display name is set for the identity 396 Name []string `json:"name"` 397 // email is the list of claims whose values should be used as the email address. Optional. 398 // If unspecified, no email is set for the identity 399 Email []string `json:"email"` 400 // groups is the list of claims value of which should be used to synchronize groups 401 // from the OIDC provider to OpenShift for the user 402 Groups []string `json:"groups"` 403 } 404 405 // GrantConfig holds the necessary configuration options for grant handlers 406 type GrantConfig struct { 407 // method determines the default strategy to use when an OAuth client requests a grant. 408 // This method will be used only if the specific OAuth client doesn't provide a strategy 409 // of their own. Valid grant handling methods are: 410 // - auto: always approves grant requests, useful for trusted clients 411 // - prompt: prompts the end user for approval of grant requests, useful for third-party clients 412 // - deny: always denies grant requests, useful for black-listed clients 413 Method GrantHandlerType `json:"method"` 414 415 // serviceAccountMethod is used for determining client authorization for service account oauth client. 416 // It must be either: deny, prompt 417 ServiceAccountMethod GrantHandlerType `json:"serviceAccountMethod"` 418 } 419 420 type GrantHandlerType string 421 422 const ( 423 // auto auto-approves client authorization grant requests 424 GrantHandlerAuto GrantHandlerType = "auto" 425 // prompt prompts the user to approve new client authorization grant requests 426 GrantHandlerPrompt GrantHandlerType = "prompt" 427 // deny auto-denies client authorization grant requests 428 GrantHandlerDeny GrantHandlerType = "deny" 429 ) 430 431 // SessionConfig specifies options for cookie-based sessions. Used by AuthRequestHandlerSession 432 type SessionConfig struct { 433 // sessionSecretsFile is a reference to a file containing a serialized SessionSecrets object 434 // If no file is specified, a random signing and encryption key are generated at each server start 435 SessionSecretsFile string `json:"sessionSecretsFile"` 436 // sessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession 437 SessionMaxAgeSeconds int32 `json:"sessionMaxAgeSeconds"` 438 // sessionName is the cookie name used to store the session 439 SessionName string `json:"sessionName"` 440 } 441 442 // TokenConfig holds the necessary configuration options for authorization and access tokens 443 type TokenConfig struct { 444 // authorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens 445 AuthorizeTokenMaxAgeSeconds int32 `json:"authorizeTokenMaxAgeSeconds,omitempty"` 446 // accessTokenMaxAgeSeconds defines the maximum age of access tokens 447 AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds,omitempty"` 448 // accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect. 449 // +optional 450 AccessTokenInactivityTimeoutSeconds *int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"` 451 // accessTokenInactivityTimeout defines the token inactivity timeout 452 // for tokens granted by any client. 453 // The value represents the maximum amount of time that can occur between 454 // consecutive uses of the token. Tokens become invalid if they are not 455 // used within this temporal window. The user will need to acquire a new 456 // token to regain access once a token times out. Takes valid time 457 // duration string such as "5m", "1.5h" or "2h45m". The minimum allowed 458 // value for duration is 300s (5 minutes). If the timeout is configured 459 // per client, then that value takes precedence. If the timeout value is 460 // not specified and the client does not override the value, then tokens 461 // are valid until their lifetime. 462 // +optional 463 AccessTokenInactivityTimeout *metav1.Duration `json:"accessTokenInactivityTimeout,omitempty"` 464 } 465 466 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 467 468 // SessionSecrets list the secrets to use to sign/encrypt and authenticate/decrypt created sessions. 469 // 470 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 471 // +openshift:compatibility-gen:level=4 472 // +openshift:compatibility-gen:internal 473 type SessionSecrets struct { 474 metav1.TypeMeta `json:",inline"` 475 476 // Secrets is a list of secrets 477 // New sessions are signed and encrypted using the first secret. 478 // Existing sessions are decrypted/authenticated by each secret until one succeeds. This allows rotating secrets. 479 Secrets []SessionSecret `json:"secrets"` 480 } 481 482 // SessionSecret is a secret used to authenticate/decrypt cookie-based sessions 483 type SessionSecret struct { 484 // Authentication is used to authenticate sessions using HMAC. Recommended to use a secret with 32 or 64 bytes. 485 Authentication string `json:"authentication"` 486 // Encryption is used to encrypt sessions. Must be 16, 24, or 32 characters long, to select AES-128, AES- 487 Encryption string `json:"encryption"` 488 } 489