{ "description": "OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec for configuring the identity provider.", "properties": { "authorizationConfig": { "description": "AuthorizationConfig holds information about how to form the OAuth2 authorization request\nparameters to be used with this OIDC identity provider.", "properties": { "additionalAuthorizeParameters": { "description": "additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your\nOIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra\nparameters are sent. The standard parameters that will be sent are \"response_type\", \"scope\", \"client_id\",\n\"state\", \"nonce\", \"code_challenge\", \"code_challenge_method\", and \"redirect_uri\". These parameters cannot be\nincluded in this setting. Additionally, the \"hd\" parameter cannot be included in this setting at this time.\nThe \"hd\" parameter is used by Google's OIDC provider to provide a hint as to which \"hosted domain\" the user\nshould use during login. However, Pinniped does not yet support validating the hosted domain in the resulting\nID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.\nThis setting does not influence the parameters sent to the token endpoint in the Resource Owner Password\nCredentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the\nSupervisor from the authorization flows. Some OIDC providers may require a certain value for the \"prompt\"\nparameter in order to properly request refresh tokens. See the documentation of your OIDC provider's\nauthorization endpoint for its requirements for what to include in the request in order to receive a refresh\ntoken in the response, if anything. If your provider requires the prompt parameter to request a refresh token,\nthen include it here. Also note that most providers also require a certain scope to be requested in order to\nreceive refresh tokens. See the additionalScopes setting for more information about using scopes to request\nrefresh tokens.", "items": { "description": "Parameter is a key/value pair which represents a parameter in an HTTP request.", "properties": { "name": { "description": "The name of the parameter. Required.", "minLength": 1, "type": "string" }, "value": { "description": "The value of the parameter.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "additionalScopes": { "description": "additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization\nrequest during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials\nGrant. Note that the \"openid\" scope will always be requested regardless of the value in this setting, since it is\nalways required according to the OIDC spec. By default, when this field is not set, the Supervisor will request\nthe following scopes: \"openid\", \"offline_access\", \"email\", and \"profile\". See\nhttps://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the \"profile\" and \"email\"\nscopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the\n\"offline_access\" scope. This default value may change in future versions of Pinniped as the standard evolves,\nor as common patterns used by providers who implement the standard in the ecosystem evolve.\nBy setting this list to anything other than an empty list, you are overriding the\ndefault value, so you may wish to include some of \"offline_access\", \"email\", and \"profile\" in your override list.\nIf you do not want any of these scopes to be requested, you may set this list to contain only \"openid\".\nSome OIDC providers may also require a scope to get access to the user's group membership, in which case you\nmay wish to include it in this list. Sometimes the scope to request the user's group membership is called\n\"groups\", but unfortunately this is not specified in the OIDC standard.\nGenerally speaking, you should include any scopes required to cause the appropriate claims to be the returned by\nyour OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in\nthe oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See\nyour OIDC provider's documentation for more information about what scopes are available to request claims.\nAdditionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor\nfrom these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be\n\"offline_access\". See the documentation of your OIDC provider's authorization and token endpoints for its\nrequirements for what to include in the request in order to receive a refresh token in the response, if anything.\nNote that it may be safe to send \"offline_access\" even to providers which do not require it, since the provider\nmay ignore scopes that it does not understand or require (see\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the\n\"offline_access\" scope, then you must override the default value of this setting. This is required if your OIDC\nprovider will reject the request when it includes \"offline_access\" (e.g. GitLab's OIDC provider).", "items": { "type": "string" }, "type": "array" }, "allowPasswordGrant": { "description": "allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant\n(see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a\nusername and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.\nThe Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be\nsupported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password\nCredentials Grant token request, then you can choose to set this field to true. This will allow end users to choose\nto present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the\ncluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be\nconvenient for users, especially for identities from your OIDC provider which are not intended to represent a human\nactor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,\nyou may wish to disable this behavior by setting this field to false when you prefer to only allow users of this\nOIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password\nCredentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords\n(similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other\nweb-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.\nallowPasswordGrant defaults to false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "claims": { "description": "Claims provides the names of token claims that will be used when inspecting an identity from\nthis OIDC identity provider.", "properties": { "additionalClaimMappings": { "additionalProperties": { "type": "string" }, "description": "AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the\n\"additionalClaims\" claim of the ID tokens generated by the Supervisor. This should be specified as a map of\nnew claim names as the keys, and upstream claim names as the values. These new claim names will be nested\nunder the top-level \"additionalClaims\" claim in ID tokens generated by the Supervisor when this\nOIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.\nThis feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be\nused when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims\nare not available, the \"additionalClaims\" claim will be excluded from the ID tokens generated by the Supervisor.", "type": "object" }, "groups": { "description": "Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain\nthe groups to which an identity belongs. By default, the identities will not include any group memberships when\nthis setting is not configured.", "type": "string" }, "username": { "description": "Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to\nascertain an identity's username. When not set, the username will be an automatically constructed unique string\nwhich will include the issuer URL of your OIDC provider along with the value of the \"sub\" (subject) claim from\nthe ID token.", "type": "string" } }, "type": "object", "additionalProperties": false }, "client": { "description": "OIDCClient contains OIDC client information to be used used with this OIDC identity\nprovider.", "properties": { "secretName": { "description": "SecretName contains the name of a namespace-local Secret object that provides the clientID and\nclientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient\nstruct, then it is expected that the Secret is of type \"secrets.pinniped.dev/oidc-client\" with keys\n\"clientID\" and \"clientSecret\".", "type": "string" } }, "required": [ "secretName" ], "type": "object", "additionalProperties": false }, "issuer": { "description": "Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch\n/.well-known/openid-configuration.", "minLength": 1, "pattern": "^https://", "type": "string" }, "tls": { "description": "TLS configuration for discovery/JWKS requests to the issuer.", "properties": { "certificateAuthorityData": { "description": "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", "type": "string" }, "certificateAuthorityDataSource": { "description": "Reference to a CA bundle in a secret or a configmap.\nAny changes to the CA bundle in the secret or configmap will be dynamically reloaded.", "properties": { "key": { "description": "Key is the key name within the secret or configmap from which to read the CA bundle.\nThe value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded\ncertificate bundle.", "minLength": 1, "type": "string" }, "kind": { "description": "Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.\nAllowed values are \"Secret\" or \"ConfigMap\".\n\"ConfigMap\" uses a Kubernetes configmap to source CA Bundles.\n\"Secret\" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.", "enum": [ "Secret", "ConfigMap" ], "type": "string" }, "name": { "description": "Name is the resource name of the secret or configmap from which to read the CA bundle.\nThe referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.", "minLength": 1, "type": "string" } }, "required": [ "key", "kind", "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "client", "issuer" ], "type": "object", "additionalProperties": false }, "status": { "description": "Status of the identity provider.", "properties": { "conditions": { "description": "Represents the observations of an identity provider's current state.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "phase": { "default": "Pending", "description": "Phase summarizes the overall status of the OIDCIdentityProvider.", "enum": [ "Pending", "Ready", "Error" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }