1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: authentications.config.openshift.io
spec:
group: config.openshift.io
names:
kind: Authentication
listKind: AuthenticationList
plural: authentications
singular: authentication
scope: Cluster
preserveUnknownFields: false
subresources:
status: {}
versions:
- name: v1
served: true
storage: true
"validation":
"openAPIV3Schema":
description: Authentication specifies cluster-wide settings for authentication
(like OAuth and webhook token authenticators). The canonical name of an instance
is `cluster`.
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
type: object
properties:
oauthMetadata:
description: 'oauthMetadata contains the discovery endpoint data for
OAuth 2.0 Authorization Server Metadata for an external OAuth server.
This discovery document can be viewed from its served location: oc
get --raw ''/.well-known/oauth-authorization-server'' For further
details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
If oauthMetadata.name is non-empty, this value has precedence over
any metadata reference stored in status. The key "oauthMetadata" is
used to locate the data. If specified and the config map or expected
key is not found, no metadata is served. If the specified metadata
is not valid, no metadata is served. The namespace for this config
map is openshift-config.'
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
type:
description: type identifies the cluster managed, user facing authentication
mode in use. Specifically, it manages the component that responds
to login attempts. The default is IntegratedOAuth.
type: string
webhookTokenAuthenticators:
description: webhookTokenAuthenticators configures remote token reviewers.
These remote authentication webhooks can be used to verify bearer
tokens via the tokenreviews.authentication.k8s.io REST API. This
is required to honor bearer tokens that are provisioned by an external
authentication service. The namespace for these secrets is openshift-config.
type: array
items:
description: webhookTokenAuthenticator holds the necessary configuration
options for a remote token authenticator
type: object
properties:
kubeConfig:
description: 'kubeConfig contains kube config file data which
describes how to access the remote webhook service. For further
details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
The key "kubeConfig" is used to locate the data. If the secret
or expected key is not found, the webhook is not honored. If
the specified kube config data is not valid, the webhook is
not honored. The namespace for this secret is determined by
the point of use.'
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced secret
type: string
status:
description: status holds observed values from the cluster. They may not
be overridden.
type: object
properties:
integratedOAuthMetadata:
description: 'integratedOAuthMetadata contains the discovery endpoint
data for OAuth 2.0 Authorization Server Metadata for the in-cluster
integrated OAuth server. This discovery document can be viewed from
its served location: oc get --raw ''/.well-known/oauth-authorization-server''
For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
This contains the observed value based on cluster state. An explicitly
set value in spec.oauthMetadata has precedence over this field. This
field has no meaning if authentication spec.type is not set to IntegratedOAuth.
The key "oauthMetadata" is used to locate the data. If the config
map or expected key is not found, no metadata is served. If the specified
metadata is not valid, no metadata is served. The namespace for this
config map is openshift-config-managed.'
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
|
