From e8556dd84e165074fdf8d51f1eff4074432f72e6 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 19 Feb 2026 09:08:37 +0100 Subject: [PATCH 1/4] Add support for CEL expression claim mappings for username and groups Signed-off-by: Shaza Aldawamneh --- .../ExternalOIDCWithUpstreamParity.yaml | 100 +++++++++++++++++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 83d54eeef84..37e69f4380e 100644 --- a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -435,7 +435,6 @@ tests: message: "Empty expressions are invalid" expectedError: "spec.oidcProviders[0].userValidationRules[0].expression: Invalid value: \"\": spec.oidcProviders[0].userValidationRules[0].expression in body should be at least 1 chars long" - - name: Invalid TokenUserValidationRule with expression only initial: | apiVersion: config.openshift.io/v1 @@ -456,3 +455,102 @@ tests: userValidationRules: - expression: "user.username.startsWith('admin')" expectedError: "message: Required value" + + - name: Can set username claim mapping using a CEL expression only + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + expression: "has(claims.upn) ? claims.upn : claims.oid" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + expression: "has(claims.upn) ? claims.upn : claims.oid" + + - name: Cannot set both claim and expression for username mapping + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + expression: "claims.sub" + expectedError: "claim must not be set when expression is provided" + + - name: Can set groups mapping using a CEL expression + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + groups: + expression: "claims.roles.split(',')" + expected: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + groups: + expression: "claims.roles.split(',')" + + - name: Cannot set both claim and expression for groups mapping + initial: | + apiVersion: config.openshift.io/v1 + kind: Authentication + spec: + type: OIDC + oidcProviders: + - name: myoidc + issuer: + issuerURL: https://meh.tld + audiences: ['openshift-aud'] + claimMappings: + username: + claim: "preferred_username" + groups: + claim: "roles" + expression: "claims.roles.split(',')" + expectedError: "claim must not be set when expression is provided" + + + From abc8d56b244e93be8ce86e1f5018a28d8617ce00 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Thu, 19 Feb 2026 16:52:39 +0100 Subject: [PATCH 2/4] Add support for CEL expression claim mappings for username and groups Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 36 ++- ...1_authentications-CustomNoUpgrade.crd.yaml | 28 ++- ...erator_01_authentications-Default.crd.yaml | 7 +- ...thentications-DevPreviewNoUpgrade.crd.yaml | 28 ++- ...g-operator_01_authentications-OKD.crd.yaml | 7 +- ...hentications-TechPreviewNoUpgrade.crd.yaml | 28 ++- .../ExternalOIDC.yaml | 7 +- ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 7 +- .../ExternalOIDCWithUpstreamParity.yaml | 28 ++- .../v1/zz_generated.swagger_doc_generated.go | 7 +- .../generated_openapi/zz_generated.openapi.go | 21 +- openapi/openapi.json | 228 ++++++++++-------- ...1_authentications-CustomNoUpgrade.crd.yaml | 28 ++- ...erator_01_authentications-Default.crd.yaml | 7 +- ...thentications-DevPreviewNoUpgrade.crd.yaml | 28 ++- ...g-operator_01_authentications-OKD.crd.yaml | 7 +- ...hentications-TechPreviewNoUpgrade.crd.yaml | 28 ++- 17 files changed, 383 insertions(+), 147 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index e7433281f4a..4f1ea7a495c 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -591,15 +591,35 @@ type OIDCClientReference struct { // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" // +union type UsernameClaimMapping struct { - // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + // claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + // + // Precisely one of claim or expression must be set if the + // ExternalOIDCWithUpstreamParity feature gate is enabled. // // claim must not be an empty string ("") and must not exceed 256 characters. // - // +required + // +optional // +kubebuilder:validation:MinLength:=1 // +kubebuilder:validation:MaxLength:=256 Claim string `json:"claim"` + // expression is an optional CEL expression used to derive + // the username from JWT claims. + // + // CEL expressions have access to the token claims + // through a CEL variable, 'claims'. + // + // Precisely one of claim or expression must be set if the + // ExternalOIDCWithUpstreamParity feature gate is enabled. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided" + + Expression string `json:"expression,omitempty"` + // prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. // // Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string). @@ -668,6 +688,18 @@ type UsernamePrefix struct { type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` + // expression is an optional CEL expression used to derive + // group values from JWT claims. + // + // When specified, claim must not be set. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided" + Expression string `json:"expression,omitempty"` + // prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. // // When omitted (""), no prefix is applied to the cluster identity attribute. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index e3c2202ea6f..5138c8abb90 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index 64b65023234..d77b80ceec0 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -252,7 +252,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -301,8 +304,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 2f4c3180dc5..48eb874b914 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index 2aff1f514b7..6b69f1328c5 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -252,7 +252,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -301,8 +304,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 11281f286c6..0f5d1b4cfeb 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index aa3ec849ee0..a95c0638447 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -115,7 +115,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -164,8 +167,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index 8f2e23dcca6..d76fde0730c 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -252,7 +252,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -301,8 +304,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 162718e02ce..ebf355da7d7 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -96,6 +96,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -115,12 +128,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -164,8 +188,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 69fb37c5233..f540c9c49eb 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -457,8 +457,9 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "expression": "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -546,7 +547,7 @@ func (TokenUserValidationRule) SwaggerDoc() map[string]string { } var map_UsernameClaimMapping = map[string]string{ - "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "claim": "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 2c217f1303e..8eff072dc9d 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -19595,6 +19595,13 @@ func schema_openshift_api_config_v1_PrefixedClaimMapping(ref common.ReferenceCal Format: "", }, }, + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", + Type: []string{"string"}, + Format: "", + }, + }, "prefix": { SchemaProps: spec.SchemaProps{ Description: "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", @@ -21578,12 +21585,18 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal Properties: map[string]spec.Schema{ "claim": { SchemaProps: spec.SchemaProps{ - Description: "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + Description: "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", Default: "", Type: []string{"string"}, Format: "", }, }, + "expression": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, "prefixPolicy": { SchemaProps: spec.SchemaProps{ Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", @@ -21600,7 +21613,6 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal }, }, }, - Required: []string{"claim"}, }, VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ @@ -21608,8 +21620,9 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal map[string]interface{}{ "discriminator": "prefixPolicy", "fields-to-discriminateBy": map[string]interface{}{ - "claim": "Claim", - "prefix": "Prefix", + "claim": "Claim", + "expression": "Expression", + "prefix": "Prefix", }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index fff430807d8..2fb0842df2c 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -6339,7 +6339,7 @@ ], "properties": { "ciphers": { - "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", "type": "array", "items": { "type": "string", @@ -10546,6 +10546,10 @@ "type": "string", "default": "" }, + "expression": { + "description": "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", + "type": "string" + }, "prefix": { "description": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", "type": "string", @@ -11311,7 +11315,7 @@ ], "properties": { "ciphers": { - "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", "type": "array", "items": { "type": "string", @@ -11335,7 +11339,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { @@ -11343,11 +11347,11 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", "type": "string", "default": "" } @@ -11717,15 +11721,15 @@ }, "com.github.openshift.api.config.v1.UsernameClaimMapping": { "type": "object", - "required": [ - "claim" - ], "properties": { "claim": { - "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "description": "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", "type": "string", "default": "" }, + "expression": { + "type": "string" + }, "prefix": { "description": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", "$ref": "#/definitions/com.github.openshift.api.config.v1.UsernamePrefix" @@ -11741,6 +11745,7 @@ "discriminator": "prefixPolicy", "fields-to-discriminateBy": { "claim": "Claim", + "expression": "Expression", "prefix": "Prefix" } } @@ -35897,7 +35902,6 @@ }, "spec": { "description": "spec is the specification of the desired behavior of the capi-operator.", - "default": {}, "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPISpec" }, "status": { @@ -35907,6 +35911,96 @@ } } }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponent": { + "description": "ClusterAPIInstallerComponent defines a component which will be installed by this revision.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "image": { + "description": "image defines an image source for a component. The image must contain a /capi-operator-installer directory containing the component manifests.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponentImage" + }, + "type": { + "description": "type is the source type of the component. The only valid value is Image. When set to Image, the image field must be set and will define an image source for the component.\n\nPossible enum values:\n - `\"Image\"` is an image source for a component.", + "type": "string", + "enum": [ + "Image" + ] + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "image": "Image" + } + } + ] + }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponentImage": { + "description": "ClusterAPIInstallerComponentImage defines an image source for a component.", + "type": "object", + "required": [ + "ref", + "profile" + ], + "properties": { + "profile": { + "description": "profile is the name of a profile to use from the image.\n\nA profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.", + "type": "string" + }, + "ref": { + "description": "ref is an image reference to the image containing the component manifests. The reference must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:. The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the field must be between 1 to 447 characters.", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerRevision": { + "type": "object", + "required": [ + "name", + "revision", + "contentID", + "components" + ], + "properties": { + "components": { + "description": "components is list of components which will be installed by this revision. Components will be installed in the order they are listed.\n\nThe maximum number of components is 32.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponent" + }, + "x-kubernetes-list-type": "atomic" + }, + "contentID": { + "description": "contentID uniquely identifies the content of this revision. The contentID must be between 1 and 255 characters long.", + "type": "string" + }, + "name": { + "description": "name is the name of a revision.", + "type": "string" + }, + "revision": { + "description": "revision is a monotonically increasing number that is assigned to a revision.", + "type": "integer", + "format": "int64" + }, + "unmanagedCustomResourceDefinitions": { + "description": "unmanagedCustomResourceDefinitions is a list of the names of ClusterResourceDefinition (CRD) objects which are included in this revision, but which should not be installed or updated. If not set, all CRDs in the revision will be managed by the CAPI operator.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + } + }, + "x-kubernetes-map-type": "atomic" + }, "com.github.openshift.api.operator.v1alpha1.ClusterAPIList": { "description": "ClusterAPIList contains a list of ClusterAPI configurations\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -35939,11 +36033,11 @@ } }, "com.github.openshift.api.operator.v1alpha1.ClusterAPISpec": { - "description": "ClusterAPISpec defines the desired configuration of the capi-operator.", + "description": "ClusterAPISpec defines the desired configuration of the capi-operator. The spec is required but we deliberately allow it to be empty.", "type": "object", "properties": { "unmanagedCustomResourceDefinitions": { - "description": "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", + "description": "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. CRD names must contain at least two '.' characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", "type": "array", "items": { "type": "string", @@ -35956,22 +36050,25 @@ "com.github.openshift.api.operator.v1alpha1.ClusterAPIStatus": { "description": "ClusterAPIStatus describes the current state of the capi-operator.", "type": "object", + "required": [ + "desiredRevision", + "revisions" + ], "properties": { - "activeConfigMaps": { - "description": "activeConfigMaps is a list of ConfigMap names that the installer controller has successfully reconciled. This represents the currently deployed CAPI provider components.\n\nEach ConfigMap name must be a valid DNS-1123 label consisting of lowercase alphanumeric characters or hyphens, starting and ending with an alphanumeric character, with a maximum length of 63 characters.\n\nThis field is owned by the installer controller and is updated atomically after a successful reconciliation.\n\nThe maximum number of activeConfigMaps is 128.", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "atomic" + "currentRevision": { + "description": "currentRevision is the name of the most recently fully applied revision. It is written by the installer controller. If it is absent, it indicates that no revision has been fully applied yet. If set, currentRevision must correspond to an entry in the revisions list.", + "type": "string" + }, + "desiredRevision": { + "description": "desiredRevision is the name of the desired revision. It is written by the revision controller. It must be set to the name of the entry in the revisions list with the highest revision number.", + "type": "string" }, - "targetConfigMaps": { - "description": "targetConfigMaps is a list of ConfigMap names that the staging controller has validated and approved for reconciliation. The installer controller will reconcile these ConfigMaps.\n\nEach ConfigMap name must be a valid DNS-1123 label consisting of lowercase alphanumeric characters or hyphens, starting and ending with an alphanumeric character, with a maximum length of 63 characters.\n\nThis field is owned by the staging controller and is updated atomically to a consistent set of transport ConfigMaps that have passed validation checks.\n\nThe maximum number of targetConfigMaps is 128.", + "revisions": { + "description": "revisions is a list of all currently active revisions. A revision is active until the installer controller updates currentRevision to a later revision. It is written by the revision controller.\n\nThe maximum number of revisions is 16. All revisions must have a unique name. All revisions must have a unique revision number. When adding a revision, the revision number must be greater than the highest revision number in the list. Revisions are immutable, although they can be deleted.", "type": "array", "items": { - "type": "string", - "default": "" + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerRevision" }, "x-kubernetes-list-type": "atomic" } @@ -37023,7 +37120,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSRecord" - } + }, + "x-kubernetes-list-type": "atomic" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", @@ -37074,7 +37172,8 @@ "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -37093,7 +37192,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSZoneStatus" - } + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -37137,7 +37237,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSZoneCondition" - } + }, + "x-kubernetes-list-type": "atomic" }, "dnsZone": { "description": "dnsZone is the zone where the record is published.", @@ -52174,77 +52275,6 @@ "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.", "type": "string", "format": "int-or-string" - }, - "io.k8s.apimachinery.pkg.version.Info": { - "description": "Info contains versioning information. how we'll want to distribute that information.", - "type": "object", - "required": [ - "major", - "minor", - "gitVersion", - "gitCommit", - "gitTreeState", - "buildDate", - "goVersion", - "compiler", - "platform" - ], - "properties": { - "buildDate": { - "type": "string", - "default": "" - }, - "compiler": { - "type": "string", - "default": "" - }, - "emulationMajor": { - "description": "EmulationMajor is the major version of the emulation version", - "type": "string" - }, - "emulationMinor": { - "description": "EmulationMinor is the minor version of the emulation version", - "type": "string" - }, - "gitCommit": { - "type": "string", - "default": "" - }, - "gitTreeState": { - "type": "string", - "default": "" - }, - "gitVersion": { - "type": "string", - "default": "" - }, - "goVersion": { - "type": "string", - "default": "" - }, - "major": { - "description": "Major is the major version of the binary version", - "type": "string", - "default": "" - }, - "minCompatibilityMajor": { - "description": "MinCompatibilityMajor is the major version of the minimum compatibility version", - "type": "string" - }, - "minCompatibilityMinor": { - "description": "MinCompatibilityMinor is the minor version of the minimum compatibility version", - "type": "string" - }, - "minor": { - "description": "Minor is the minor version of the binary version", - "type": "string", - "default": "" - }, - "platform": { - "type": "string", - "default": "" - } - } } } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index e3c2202ea6f..5138c8abb90 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index 64b65023234..d77b80ceec0 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -252,7 +252,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -301,8 +304,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 2f4c3180dc5..48eb874b914 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index 2aff1f514b7..6b69f1328c5 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -252,7 +252,10 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 @@ -301,8 +304,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 11281f286c6..0f5d1b4cfeb 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -191,6 +191,19 @@ spec: the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. type: string + expression: + description: |- + expression is an optional CEL expression used to derive + group values from JWT claims. + + When specified, claim must not be set. + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -252,12 +265,23 @@ spec: properties: claim: description: |- - claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. claim must not be an empty string ("") and must not exceed 256 characters. maxLength: 256 minLength: 1 type: string + expression: + maxLength: 1024 + minLength: 1 + type: string + x-kubernetes-validations: + - message: claim must not be set when expression is + provided + rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -301,8 +325,6 @@ spec: - NoPrefix - Prefix type: string - required: - - claim type: object x-kubernetes-validations: - message: prefix must be set if prefixPolicy is 'Prefix', From 6cc13c438e30d29c894cffe211da66475426aef8 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Mon, 23 Feb 2026 08:27:44 +0100 Subject: [PATCH 3/4] featuregating some validations Signed-off-by: Shaza Aldawamneh --- config/v1/types_authentication.go | 32 ++++++++++--------- ...1_authentications-CustomNoUpgrade.crd.yaml | 27 +++++++++++----- ...erator_01_authentications-Default.crd.yaml | 5 +++ ...thentications-DevPreviewNoUpgrade.crd.yaml | 27 +++++++++++----- ...g-operator_01_authentications-OKD.crd.yaml | 5 +++ ...hentications-TechPreviewNoUpgrade.crd.yaml | 27 +++++++++++----- .../ExternalOIDC.yaml | 5 +++ ...ernalOIDCWithUIDAndExtraClaimMappings.yaml | 5 +++ .../ExternalOIDCWithUpstreamParity.yaml | 27 +++++++++++----- .../v1/zz_generated.swagger_doc_generated.go | 11 ++++--- .../generated_openapi/zz_generated.openapi.go | 13 ++++++-- openapi/openapi.json | 8 +++-- ...1_authentications-CustomNoUpgrade.crd.yaml | 27 +++++++++++----- ...erator_01_authentications-Default.crd.yaml | 5 +++ ...thentications-DevPreviewNoUpgrade.crd.yaml | 27 +++++++++++----- ...g-operator_01_authentications-OKD.crd.yaml | 5 +++ ...hentications-TechPreviewNoUpgrade.crd.yaml | 27 +++++++++++----- 17 files changed, 202 insertions(+), 81 deletions(-) diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 4f1ea7a495c..2657bbdd34d 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -350,11 +350,25 @@ type TokenClaimMappings struct { } // TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be set" type TokenClaimMapping struct { // claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 Claim string `json:"claim"` + + // expression is an optional CEL expression used to derive + // group values from JWT claims. + // + // When specified, claim must not be set. + // + // +optional + // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` } // TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities. @@ -590,6 +604,7 @@ type OIDCClientReference struct { // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise" // +union +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="!(has(self.claim) && has(self.expression))",message="claim and expression cannot both be set" type UsernameClaimMapping struct { // claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. // @@ -601,7 +616,8 @@ type UsernameClaimMapping struct { // +optional // +kubebuilder:validation:MinLength:=1 // +kubebuilder:validation:MaxLength:=256 - Claim string `json:"claim"` + // +kubebuilder:validation:XValidation:rule="has(self.claim)",message="claim must be set" + Claim string `json:"claim,omitempty"` // expression is an optional CEL expression used to derive // the username from JWT claims. @@ -616,8 +632,6 @@ type UsernameClaimMapping struct { // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=1024 - // +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided" - Expression string `json:"expression,omitempty"` // prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field. @@ -688,18 +702,6 @@ type UsernamePrefix struct { type PrefixedClaimMapping struct { TokenClaimMapping `json:",inline"` - // expression is an optional CEL expression used to derive - // group values from JWT claims. - // - // When specified, claim must not be set. - // - // +optional - // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 - // +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided" - Expression string `json:"expression,omitempty"` - // prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. // // When omitted (""), no prefix is applied to the cluster identity attribute. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 5138c8abb90..6e48f5b3ff4 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index d77b80ceec0..e784072eaf3 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -261,6 +263,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 48eb874b914..083b8269ac5 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index 6b69f1328c5..cc1405d98b6 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -261,6 +263,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 0f5d1b4cfeb..15edad15cdf 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index a95c0638447..1c30ca83477 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -95,6 +95,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -124,6 +126,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index d76fde0730c..de3147ed33d 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -261,6 +263,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index ebf355da7d7..92a47ada75b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -95,6 +95,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -105,10 +107,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -120,6 +118,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' username: description: username is a required field that configures how the username of a cluster identity should be constructed @@ -137,14 +138,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -190,6 +199,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index f540c9c49eb..e22ece3f14d 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -457,9 +457,8 @@ func (OIDCProvider) SwaggerDoc() map[string]string { } var map_PrefixedClaimMapping = map[string]string{ - "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", - "expression": "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", - "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", + "": "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.", + "prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".", } func (PrefixedClaimMapping) SwaggerDoc() map[string]string { @@ -467,8 +466,9 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { } var map_TokenClaimMapping = map[string]string{ - "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", - "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", + "claim": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", + "expression": "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", } func (TokenClaimMapping) SwaggerDoc() map[string]string { @@ -548,6 +548,7 @@ func (TokenUserValidationRule) SwaggerDoc() map[string]string { var map_UsernameClaimMapping = map[string]string{ "claim": "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", + "expression": "expression is an optional CEL expression used to derive the username from JWT claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.", "prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n and `claim` is set to:\n - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n - \"email\": the mapped value will be \"userA@myoidc.tld\"", "prefix": "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 8eff072dc9d..cca0c13ffcc 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -21136,6 +21136,13 @@ func schema_openshift_api_config_v1_TokenClaimMapping(ref common.ReferenceCallba Format: "", }, }, + "expression": { + SchemaProps: spec.SchemaProps{ + Description: "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", + Type: []string{"string"}, + Format: "", + }, + }, }, Required: []string{"claim"}, }, @@ -21586,15 +21593,15 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal "claim": { SchemaProps: spec.SchemaProps{ Description: "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - Default: "", Type: []string{"string"}, Format: "", }, }, "expression": { SchemaProps: spec.SchemaProps{ - Type: []string{"string"}, - Format: "", + Description: "expression is an optional CEL expression used to derive the username from JWT claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.", + Type: []string{"string"}, + Format: "", }, }, "prefixPolicy": { diff --git a/openapi/openapi.json b/openapi/openapi.json index 2fb0842df2c..5b0522312ef 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -11456,6 +11456,10 @@ "description": "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.", "type": "string", "default": "" + }, + "expression": { + "description": "expression is an optional CEL expression used to derive group values from JWT claims.\n\nWhen specified, claim must not be set.", + "type": "string" } } }, @@ -11724,10 +11728,10 @@ "properties": { "claim": { "description": "claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.", - "type": "string", - "default": "" + "type": "string" }, "expression": { + "description": "expression is an optional CEL expression used to derive the username from JWT claims.\n\nCEL expressions have access to the token claims through a CEL variable, 'claims'.\n\nPrecisely one of claim or expression must be set if the ExternalOIDCWithUpstreamParity feature gate is enabled.", "type": "string" }, "prefix": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 5138c8abb90..6e48f5b3ff4 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index d77b80ceec0..e784072eaf3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -261,6 +263,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 48eb874b914..083b8269ac5 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index 6b69f1328c5..cc1405d98b6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string prefix: description: |- @@ -261,6 +263,9 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 0f5d1b4cfeb..15edad15cdf 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -190,6 +190,8 @@ spec: description: claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping. + maxLength: 256 + minLength: 1 type: string expression: description: |- @@ -200,10 +202,6 @@ spec: maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes. @@ -215,6 +213,9 @@ spec: required: - claim type: object + x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' uid: description: |- uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity. @@ -274,14 +275,22 @@ spec: maxLength: 256 minLength: 1 type: string + x-kubernetes-validations: + - message: claim must be set + rule: has(self.claim) expression: + description: |- + expression is an optional CEL expression used to derive + the username from JWT claims. + + CEL expressions have access to the token claims + through a CEL variable, 'claims'. + + Precisely one of claim or expression must be set if the + ExternalOIDCWithUpstreamParity feature gate is enabled. maxLength: 1024 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must not be set when expression is - provided - rule: 'has(self.expression) ? !has(self.claim) : true' prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. @@ -327,6 +336,8 @@ spec: type: string type: object x-kubernetes-validations: + - message: claim and expression cannot both be set + rule: '!(has(self.claim) && has(self.expression))' - message: prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise rule: 'has(self.prefixPolicy) && self.prefixPolicy == From d040102c8503f2d0dd3692b766af70138eaaa0a7 Mon Sep 17 00:00:00 2001 From: Shaza Aldawamneh Date: Mon, 23 Feb 2026 17:22:07 +0100 Subject: [PATCH 4/4] fixing validation Signed-off-by: Shaza Aldawamneh --- .../ExternalOIDCWithUpstreamParity.yaml | 2 +- config/v1/types_authentication.go | 1 - ...config-operator_01_authentications-CustomNoUpgrade.crd.yaml | 3 --- ...0000_10_config-operator_01_authentications-Default.crd.yaml | 3 --- ...ig-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 3 --- .../0000_10_config-operator_01_authentications-OKD.crd.yaml | 3 --- ...g-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 3 --- .../authentications.config.openshift.io/ExternalOIDC.yaml | 3 --- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 3 --- .../ExternalOIDCWithUpstreamParity.yaml | 3 --- ...config-operator_01_authentications-CustomNoUpgrade.crd.yaml | 3 --- ...0000_10_config-operator_01_authentications-Default.crd.yaml | 3 --- ...ig-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml | 3 --- .../0000_10_config-operator_01_authentications-OKD.crd.yaml | 3 --- ...g-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml | 3 --- 15 files changed, 1 insertion(+), 41 deletions(-) diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 37e69f4380e..0e0c64008bc 100644 --- a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -499,7 +499,7 @@ tests: username: claim: "preferred_username" expression: "claims.sub" - expectedError: "claim must not be set when expression is provided" + expectedError: "claim and expression cannot both be set" - name: Can set groups mapping using a CEL expression initial: | diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go index 2657bbdd34d..0eeb1da51f0 100644 --- a/config/v1/types_authentication.go +++ b/config/v1/types_authentication.go @@ -616,7 +616,6 @@ type UsernameClaimMapping struct { // +optional // +kubebuilder:validation:MinLength:=1 // +kubebuilder:validation:MaxLength:=256 - // +kubebuilder:validation:XValidation:rule="has(self.claim)",message="claim must be set" Claim string `json:"claim,omitempty"` // expression is an optional CEL expression used to derive diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 6e48f5b3ff4..c71aa22f542 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml index e784072eaf3..fdfcd422aaa 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -263,9 +263,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 083b8269ac5..31b7e1d0d9b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml index cc1405d98b6..214ad092297 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -263,9 +263,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 15edad15cdf..07f1e292b37 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml index 1c30ca83477..312f4c42a54 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml @@ -126,9 +126,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index de3147ed33d..025028f2feb 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -263,9 +263,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 92a47ada75b..2a48903de53 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -138,9 +138,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml index 6e48f5b3ff4..c71aa22f542 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml index e784072eaf3..fdfcd422aaa 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml @@ -263,9 +263,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml index 083b8269ac5..31b7e1d0d9b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml index cc1405d98b6..214ad092297 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml @@ -263,9 +263,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) prefix: description: |- prefix configures the prefix that should be prepended to the value of the JWT claim. diff --git a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml index 15edad15cdf..07f1e292b37 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml @@ -275,9 +275,6 @@ spec: maxLength: 256 minLength: 1 type: string - x-kubernetes-validations: - - message: claim must be set - rule: has(self.claim) expression: description: |- expression is an optional CEL expression used to derive