JWTOIDCAuthEngineRole

redhatcop.redhat.io / v1alpha1

apiVersion: redhatcop.redhat.io/v1alpha1 kind: JWTOIDCAuthEngineRole metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object

JWTOIDCAuthEngineRoleSpec defines the desired state of JWTOIDCAuthEngineRole

OIDCScopes []string

If set, a list of OIDC scopes to be used with an OIDC role The standard scope "openid" is automatically included and need not be specified kubebuilder:validation:UniqueItems=true

allowedRedirectURIs []string

The list of allowed values for redirect_uri during OIDC logins kubebuilder:validation:UniqueItems=true

authentication object

Authentication is the kube auth configuraiton to be used to execute this request

namespace string

Namespace is the Vault namespace to be used in all the operations withing this connection/authentication. Only available in Vault Enterprise.

path string

Path is the path of the role used for this kube auth authentication. The operator will try to authenticate at {[namespace/]}auth/{spec.path}

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

role string

Role the role to be used during authentication

serviceAccount object

ServiceAccount is the service account used for the kube auth authentication

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

boundAudiences []string

List of aud claims to match against. Any match is sufficient. Required for "jwt" roles, optional for "oidc" roles kubebuilder:validation:UniqueItems=true

boundClaims object

If set, a map of claims (keys) to match against respective claim values (values) The expected value may be a single string or a list of strings The interpretation of the bound claim values is configured with bound_claims_type Keys support JSON pointer syntax for referencing claims

boundClaimsType string

Configures the interpretation of the bound_claims values. If "string" (the default), the values will treated as string literals and must match exactly. If set to "glob", the values will be interpreted as globs, with * matching any number of characters

boundSubject string

If set, requires that the sub claim matches this value.

claimMappings object

If set, a map of claims (keys) to be copied to specified metadata fields (values) Keys support JSON pointer syntax for referencing claims

clockSkewLeeway integer

The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Accepts an integer number of seconds, or a Go duration format string. Only applicable with "jwt" roles

format: int64

connection object

Connection represents the information needed to connect to Vault. This operator uses the standard Vault environment variables to connect to Vault. If you need to override those settings and for example connect to a different Vault instance, you can do with this section of the CR.

address string

Address Address of the Vault server expressed as a URL and port, for example: https://127.0.0.1:8200/

maxRetries integer

MaxRetries Maximum number of retries when certain error codes are encountered. The default is 2, for three total attempts. Set this to 0 or less to disable retrying. Error codes that are retried are 412 (client consistency requirement not satisfied) and all 5xx except for 501 (not implemented).

tLSConfig object

cacert string

Cacert Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over a cert passed via the secret.

skipVerify boolean

SkipVerify Do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended and voids Vault's security model.

tlsSecret object

TLSSecret namespace-local secret containing the tls material for the connection. the expected keys for the secret are: ca bundle -> "ca.crt", certificate -> "tls.crt", key -> "tls.key"

name string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?

tlsServerName string

TLSServerName Name to use as the SNI host when connecting via TLS.

timeOut string

Timeout Timeout variable. The default value is 60s.

expirationLeeway integer

The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Accepts an integer number of seconds, or a Go duration format string. Only applicable with "jwt" roles.

format: int64

groupsClaim string

The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. Supports JSON pointer syntax for referencing claims

maxage integer

Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated with the OIDC provider If set, the max_age request parameter will be included in the authentication request See AuthRequest for additional details Accepts an integer number of seconds, or a Go duration format string

format: int64

name string required

Name of the role

notBeforeLeeway integer

he amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Accepts an integer number of seconds, or a Go duration format string. Only applicable with "jwt" roles

format: int64

path string

Path at which to make the configuration. The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}. The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.

pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

roleType string

Type of role, either "oidc" (default) or "jwt"

tokenBoundCIDRs []string

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. kubebuilder:validation:UniqueItems=true

tokenExplicitMaxTTL string

If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTTL string

The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time

tokenNoDefaultPolicy boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies

tokenNumUses integer

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0

format: int64

tokenPeriod integer

The period, if any, to set on the token

format: int64

tokenPolicies []string

List of policies to encode onto generated tokens Depending on the auth method, this list may be supplemented by user/group/other values kubebuilder:validation:UniqueItems=true

tokenTTL string

The incremental lifetime for generated tokens This current value of this will be referenced at renewal time

tokenType string

The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

userClaim string required

The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string

userClaimJSONPointer boolean

Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.

verboseOIDCLogging boolean

Log received OIDC tokens and claims when debug-level logging is active Not recommended in production since sensitive information may be present in OIDC responses

status object

JWTOIDCAuthEngineRoleStatus defines the observed state of JWTOIDCAuthEngineRole

conditions []object

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

No matches. Try .spec.OIDCScopes for an exact path