1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
package v1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Authentication specifies cluster-wide settings for authentication (like OAuth and
// webhook token authenticators). The canonical name of an instance is `cluster`.
type Authentication struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
metav1.ObjectMeta `json:"metadata,omitempty"`
// spec holds user settable values for configuration
// +kubebuilder:validation:Required
// +required
Spec AuthenticationSpec `json:"spec"`
// status holds observed values from the cluster. They may not be overridden.
// +optional
Status AuthenticationStatus `json:"status"`
}
type AuthenticationSpec struct {
// type identifies the cluster managed, user facing authentication mode in use.
// Specifically, it manages the component that responds to login attempts.
// The default is IntegratedOAuth.
// +optional
Type AuthenticationType `json:"type"`
// oauthMetadata contains the discovery endpoint data for OAuth 2.0
// Authorization Server Metadata for an external OAuth server.
// This discovery document can be viewed from its served location:
// oc get --raw '/.well-known/oauth-authorization-server'
// For further details, see the IETF Draft:
// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
// If oauthMetadata.name is non-empty, this value has precedence
// over any metadata reference stored in status.
// The key "oauthMetadata" is used to locate the data.
// If specified and the config map or expected key is not found, no metadata is served.
// If the specified metadata is not valid, no metadata is served.
// The namespace for this config map is openshift-config.
// +optional
OAuthMetadata ConfigMapNameReference `json:"oauthMetadata"`
// webhookTokenAuthenticators configures remote token reviewers.
// These remote authentication webhooks can be used to verify bearer tokens
// via the tokenreviews.authentication.k8s.io REST API. This is required to
// honor bearer tokens that are provisioned by an external authentication service.
// The namespace for these secrets is openshift-config.
// +optional
WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"`
}
type AuthenticationStatus struct {
// integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0
// Authorization Server Metadata for the in-cluster integrated OAuth server.
// This discovery document can be viewed from its served location:
// oc get --raw '/.well-known/oauth-authorization-server'
// For further details, see the IETF Draft:
// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
// This contains the observed value based on cluster state.
// An explicitly set value in spec.oauthMetadata has precedence over this field.
// This field has no meaning if authentication spec.type is not set to IntegratedOAuth.
// The key "oauthMetadata" is used to locate the data.
// If the config map or expected key is not found, no metadata is served.
// If the specified metadata is not valid, no metadata is served.
// The namespace for this config map is openshift-config-managed.
IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"`
// TODO if we add support for an in-cluster operator managed Keycloak instance
// KeycloakOAuthMetadata ConfigMapNameReference `json:"keycloakOAuthMetadata"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type AuthenticationList struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
metav1.ListMeta `json:"metadata"`
Items []Authentication `json:"items"`
}
type AuthenticationType string
const (
// None means that no cluster managed authentication system is in place.
// Note that user login will only work if a manually configured system is in place and
// referenced in authentication spec via oauthMetadata and webhookTokenAuthenticators.
AuthenticationTypeNone AuthenticationType = "None"
// IntegratedOAuth refers to the cluster managed OAuth server.
// It is configured via the top level OAuth config.
AuthenticationTypeIntegratedOAuth AuthenticationType = "IntegratedOAuth"
// TODO if we add support for an in-cluster operator managed Keycloak instance
// AuthenticationTypeKeycloak AuthenticationType = "Keycloak"
)
// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
type WebhookTokenAuthenticator struct {
// kubeConfig contains kube config file data which describes how to access the remote webhook service.
// For further details, see:
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
// The key "kubeConfig" is used to locate the data.
// If the secret or expected key is not found, the webhook is not honored.
// If the specified kube config data is not valid, the webhook is not honored.
// The namespace for this secret is determined by the point of use.
KubeConfig SecretNameReference `json:"kubeConfig"`
}
const (
// OAuthMetadataKey is the key for the oauth authorization server metadata
OAuthMetadataKey = "oauthMetadata"
// KubeConfigKey is the key for the kube config file data in a secret
KubeConfigKey = "kubeConfig"
)
|