Skip to content

added oidc config for v1beta2 #427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 17, 2025
Merged

added oidc config for v1beta2 #427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_ocimanagedcontrolplanes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,87 @@ spec:
not to enable the Pod Security Policy admission controller.
type: boolean
type: object
openIdConnectDiscovery:
description: OpenIDConnectDiscovery specifies OIDC discovery settings
properties:
isOpenIdConnectDiscoveryEnabled:
description: IsOpenIDConnectDiscoveryEnabled defines whether
or not to enable the OIDC discovery.
type: boolean
type: object
openIdConnectTokenAuthenticationConfig:
description: OpenIDConnectTokenAuthenticationConfig
properties:
caCertificate:
description: A Base64 encoded public RSA or ECDSA certificates
used to sign your identity provider's web certificate.
type: string
clientId:
description: A client id that all tokens must be issued for.
type: string
groupsClaim:
description: JWT claim to use as the user's group. If the
claim is present it must be an array of strings.
type: string
groupsPrefix:
description: Prefix prepended to group claims to prevent clashes
with existing names (such as system:groups).
type: string
isOpenIdConnectAuthEnabled:
description: IsOpenIdConnectAuthEnabled defines whether or
not to enable the OIDC authentication.
type: boolean
issuerUrl:
description: URL of the provider that allows the API server
to discover public signing keys. Only URLs that use the
https:// scheme are accepted. This is typically the provider's
discovery URL, changed to have an empty path.
type: string
requiredClaims:
description: A key=value pair that describes a required claim
in the ID Token. If set, the claim is verified to be present
in the ID Token with a matching value. Repeat this flag
to specify multiple claims.
items:
description: KeyValue The properties that define a key value
pair.
properties:
key:
description: The key of the pair.
type: string
value:
description: The value of the pair.
type: string
required:
- key
- value
type: object
type: array
signingAlgorithms:
description: The signing algorithms accepted. Default is ["RS256"].
items:
type: string
type: array
usernameClaim:
description: JWT claim to use as the user name. By default
sub, which is expected to be a unique identifier of the
end user. Admins can choose other claims, such as email
or name, depending on their provider. However, claims other
than email will be prefixed with the issuer URL to prevent
naming clashes with other plugins.
type: string
usernamePrefix:
description: 'Prefix prepended to username claims to prevent
clashes with existing names (such as system:users). For
example, the value oidc: will create usernames like oidc:jane.doe.
If this flag isn''t provided and --oidc-username-claim is
a value other than email the prefix defaults to ( Issuer
URL )# where ( Issuer URL ) is the value of --oidc-issuer-url.
The value - can be used to disable all prefixing.'
type: string
required:
- isOpenIdConnectAuthEnabled
type: object
type: object
clusterPodNetworkOptions:
description: ClusterPodNetworkOptions defines the available CNIs and
Expand Down
88 changes: 88 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_ocimanagedcontrolplanetemplates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,94 @@ spec:
controller.
type: boolean
type: object
openIdConnectDiscovery:
description: OpenIDConnectDiscovery specifies OIDC discovery
settings
properties:
isOpenIdConnectDiscoveryEnabled:
description: IsOpenIDConnectDiscoveryEnabled defines
whether or not to enable the OIDC discovery.
type: boolean
type: object
openIdConnectTokenAuthenticationConfig:
description: OpenIDConnectTokenAuthenticationConfig
properties:
caCertificate:
description: A Base64 encoded public RSA or ECDSA
certificates used to sign your identity provider's
web certificate.
type: string
clientId:
description: A client id that all tokens must be issued
for.
type: string
groupsClaim:
description: JWT claim to use as the user's group.
If the claim is present it must be an array of strings.
type: string
groupsPrefix:
description: Prefix prepended to group claims to prevent
clashes with existing names (such as system:groups).
type: string
isOpenIdConnectAuthEnabled:
description: IsOpenIdConnectAuthEnabled defines whether
or not to enable the OIDC authentication.
type: boolean
issuerUrl:
description: URL of the provider that allows the API
server to discover public signing keys. Only URLs
that use the https:// scheme are accepted. This
is typically the provider's discovery URL, changed
to have an empty path.
type: string
requiredClaims:
description: A key=value pair that describes a required
claim in the ID Token. If set, the claim is verified
to be present in the ID Token with a matching value.
Repeat this flag to specify multiple claims.
items:
description: KeyValue The properties that define
a key value pair.
properties:
key:
description: The key of the pair.
type: string
value:
description: The value of the pair.
type: string
required:
- key
- value
type: object
type: array
signingAlgorithms:
description: The signing algorithms accepted. Default
is ["RS256"].
items:
type: string
type: array
usernameClaim:
description: JWT claim to use as the user name. By
default sub, which is expected to be a unique identifier
of the end user. Admins can choose other claims,
such as email or name, depending on their provider.
However, claims other than email will be prefixed
with the issuer URL to prevent naming clashes with
other plugins.
type: string
usernamePrefix:
description: 'Prefix prepended to username claims
to prevent clashes with existing names (such as
system:users). For example, the value oidc: will
create usernames like oidc:jane.doe. If this flag
isn''t provided and --oidc-username-claim is a value
other than email the prefix defaults to ( Issuer
URL )# where ( Issuer URL ) is the value of --oidc-issuer-url.
The value - can be used to disable all prefixing.'
type: string
required:
- isOpenIdConnectAuthEnabled
type: object
type: object
clusterPodNetworkOptions:
description: ClusterPodNetworkOptions defines the available
Expand Down