@@ -803,6 +803,109 @@ spec:
803803 the Kubernetes API server for translating claims in a JWT token, issued
804804 by the identity provider, to a cluster identity.
805805properties :
806+ extra :
807+ description : |-
808+ extra is an optional field for configuring the mappings
809+ used to construct the extra attribute for the cluster identity.
810+ When omitted, no extra attributes will be present on the cluster identity.
811+ key values for extra mappings must be unique.
812+ A maximum of 64 extra attribute mappings may be provided.
813+ items :
814+ description : |-
815+ ExtraMapping allows specifying a key and CEL expression
816+ to evaluate the keys' value. It is used to create additional
817+ mappings and attributes added to a cluster identity from
818+ a provided authentication token.
819+ properties :
820+ key :
821+ description : |-
822+ key is a required field that specifies the string
823+ to use as the extra attribute key.
824+
825+ key must be a domain-prefix path (e.g 'example.org/foo').
826+ key must not exceed 510 characters in length.
827+ key must contain the '/' character, separating the domain and path characters.
828+ key must not be empty.
829+
830+ The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain.
831+ It must not exceed 253 characters in length.
832+ It must start and end with an alphanumeric character.
833+ It must only contain lower case alphanumeric characters and '-' or '.'.
834+ It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
835+
836+ The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one
837+ alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
838+ It must not exceed 256 characters in length.
839+ maxLength : 510
840+ minLength : 1
841+ type : string
842+ x-kubernetes-validations :
843+ - message : key must contain the '/' character
844+ rule : self.contains('/')
845+ - message : the domain of the key must consist
846+ of only lower case alphanumeric characters,
847+ ' -' or '.', and must start and end with
848+ an alphanumeric character
849+ rule : self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
850+ - message : the domain of the key must not
851+ exceed 253 characters in length
852+ rule : self.split('/', 2)[0].size() <= 253
853+ - message : the domain 'kubernetes.io' is reserved
854+ for Kubernetes use
855+ rule : self.split('/', 2)[0] != 'kubernetes.io'
856+ - message : the subdomains '*.kubernetes.io'
857+ are reserved for Kubernetes use
858+ rule : ' !self.split('' /'' , 2)[0].endsWith('' .kubernetes.io'' )'
859+ - message : the domain 'k8s.io' is reserved
860+ for Kubernetes use
861+ rule : self.split('/', 2)[0] != 'k8s.io'
862+ - message : the subdomains '*.k8s.io' are reserved
863+ for Kubernetes use
864+ rule : ' !self.split('' /'' , 2)[0].endsWith('' .k8s.io'' )'
865+ - message : the domain 'openshift.io' is reserved
866+ for OpenShift use
867+ rule : self.split('/', 2)[0] != 'openshift.io'
868+ - message : the subdomains '*.openshift.io'
869+ are reserved for OpenShift use
870+ rule : ' !self.split('' /'' , 2)[0].endsWith('' .openshift.io'' )'
871+ - message : the path of the key must not be
872+ empty and must consist of at least one
873+ alphanumeric character, percent-encoded
874+ octets, apostrophe, '-', '.', '_', '~',
875+ ' !' , '$', '&', '(', ')', '*', '+', ',',
876+ ' ;' , '=', and ':'
877+ rule : self.split('/', 2)[1].matches('[A-Za-z0-9/\\-._~%!$&\'()*+;=:]+')
878+ - message : the path of the key must not exceed
879+ 256 characters in length
880+ rule : self.split('/', 2)[1].size() <= 256
881+ valueExpression :
882+ description : |-
883+ valueExpression is a required field to specify the CEL expression to extract
884+ the extra attribute value from a JWT token's claims.
885+ valueExpression must produce a string or string array value.
886+ "", [], and null are treated as the extra mapping not being present.
887+ Empty string values within an array are filtered out.
888+
889+ CEL expressions have access to the token claims
890+ through a CEL variable, 'claims'.
891+ 'claims' is a map of claim names to claim values.
892+ For example, the 'sub' claim value can be accessed as 'claims.sub'.
893+ Nested claims can be accessed using dot notation ('claims.foo.bar').
894+
895+ valueExpression must not exceed 4096 characters in length.
896+ valueExpression must not be empty.
897+ maxLength : 4096
898+ minLength : 1
899+ type : string
900+ required :
901+ - key
902+ - valueExpression
903+ type : object
904+ maxItems : 64
905+ type : array
906+ x-kubernetes-list-map-keys :
907+ - key
908+ x-kubernetes-list-type : map
806909 groups :
807910 description : |-
808911 groups is an optional field that configures how the groups of a cluster identity
@@ -833,6 +936,57 @@ spec:
833936 required :
834937 - claim
835938 type : object
939+ uid :
940+ description : |-
941+ uid is an optional field for configuring the claim mapping
942+ used to construct the uid for the cluster identity.
943+
944+ When using uid.claim to specify the claim it must be a single string value.
945+ When using uid.expression the expression must result in a single string value.
946+
947+ When omitted, this means the user has no opinion and the platform
948+ is left to choose a default, which is subject to change over time.
949+ The current default is to use the 'sub' claim.
950+ properties :
951+ claim :
952+ description : |-
953+ claim is an optional field for specifying the
954+ JWT token claim that is used in the mapping.
955+ The value of this claim will be assigned to
956+ the field in which this mapping is associated.
957+
958+ Precisely one of claim or expression must be set.
959+ claim must not be specified when expression is set.
960+ When specified, claim must be at least 1 character in length
961+ and must not exceed 256 characters in length.
962+ maxLength : 256
963+ minLength : 1
964+ type : string
965+ expression :
966+ description : |-
967+ expression is an optional field for specifying a
968+ CEL expression that produces a string value from
969+ JWT token claims.
970+
971+ CEL expressions have access to the token claims
972+ through a CEL variable, 'claims'.
973+ 'claims' is a map of claim names to claim values.
974+ For example, the 'sub' claim value can be accessed as 'claims.sub'.
975+ Nested claims can be accessed using dot notation ('claims.foo.bar').
976+
977+ Precisely one of claim or expression must be set.
978+ expression must not be specified when claim is set.
979+ When specified, expression must be at least 1 character in length
980+ and must not exceed 4096 characters in length.
981+ maxLength : 4096
982+ minLength : 1
983+ type : string
984+ type : object
985+ x-kubernetes-validations :
986+ - message : precisely one of claim or expression
987+ must be set
988+ rule : ' has(self.claim) ? !has(self.expression)
989+ : has(self.expression)'
836990 username :
837991 description : |-
838992 username is an optional field that configures how the username of a cluster identity
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments