Skip to content

add ability to reference OIDC client secret from secret object #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
olamilekan000 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add ability to reference OIDC client secret from secret object #134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions config/crd/bases/operator.kcp.io_frontproxies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,29 @@ spec:
description: |-
Optionally provide the client secret for the OIDC client. This is not used by KCP itself, but is used to generate
a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
Deprecated: use clientSecretRef instead.
type: string
clientSecretRef:
description: |-
ClientSecretRef references a secret that contains the OIDC client secret.
The secret must contain a key named "secret" (or the key specified in the key field).
properties:
key:
description: Key is the key in the secret that contains
the client secret. Defaults to "secret".
type: string
name:
description: Name is the name of the secret that contains
the client secret.
type: string
namespace:
description: Namespace is the namespace of the secret.
If not specified, the secret is assumed to be in the
same namespace as the resource.
type: string
required:
- name
type: object
groupsClaim:
description: 'Experimental: Optionally provides a custom claim
for fetching groups. The claim must be a string or an array
Expand Down Expand Up @@ -142,6 +164,10 @@ spec:
- clientID
- issuerURL
type: object
x-kubernetes-validations:
- message: Cannot set both clientSecret (deprecated) and clientSecretRef.
Use clientSecretRef only.
rule: '!(has(self.clientSecret) && has(self.clientSecretRef))'
passOnGroups:
description: 'Optional: PassOnGroups configures groups to be passed
on before forwarding requests to Shards'
Expand Down
26 changes: 26 additions & 0 deletions config/crd/bases/operator.kcp.io_rootshards.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,29 @@ spec:
description: |-
Optionally provide the client secret for the OIDC client. This is not used by KCP itself, but is used to generate
a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
Deprecated: use clientSecretRef instead.
type: string
clientSecretRef:
description: |-
ClientSecretRef references a secret that contains the OIDC client secret.
The secret must contain a key named "secret" (or the key specified in the key field).
properties:
key:
description: Key is the key in the secret that contains
the client secret. Defaults to "secret".
type: string
name:
description: Name is the name of the secret that contains
the client secret.
type: string
namespace:
description: Namespace is the namespace of the secret.
If not specified, the secret is assumed to be in the
same namespace as the resource.
type: string
required:
- name
type: object
groupsClaim:
description: 'Experimental: Optionally provides a custom claim
for fetching groups. The claim must be a string or an array
Expand Down Expand Up @@ -185,6 +207,10 @@ spec:
- clientID
- issuerURL
type: object
x-kubernetes-validations:
- message: Cannot set both clientSecret (deprecated) and clientSecretRef.
Use clientSecretRef only.
rule: '!(has(self.clientSecret) && has(self.clientSecretRef))'
passOnGroups:
description: 'Optional: PassOnGroups configures groups to be passed
on before forwarding requests to Shards'
Expand Down
26 changes: 26 additions & 0 deletions config/crd/bases/operator.kcp.io_shards.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,29 @@ spec:
description: |-
Optionally provide the client secret for the OIDC client. This is not used by KCP itself, but is used to generate
a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
Deprecated: use clientSecretRef instead.
type: string
clientSecretRef:
description: |-
ClientSecretRef references a secret that contains the OIDC client secret.
The secret must contain a key named "secret" (or the key specified in the key field).
properties:
key:
description: Key is the key in the secret that contains
the client secret. Defaults to "secret".
type: string
name:
description: Name is the name of the secret that contains
the client secret.
type: string
namespace:
description: Namespace is the namespace of the secret.
If not specified, the secret is assumed to be in the
same namespace as the resource.
type: string
required:
- name
type: object
groupsClaim:
description: 'Experimental: Optionally provides a custom claim
for fetching groups. The claim must be a string or an array
Expand Down Expand Up @@ -185,6 +207,10 @@ spec:
- clientID
- issuerURL
type: object
x-kubernetes-validations:
- message: Cannot set both clientSecret (deprecated) and clientSecretRef.
Use clientSecretRef only.
rule: '!(has(self.clientSecret) && has(self.clientSecretRef))'
passOnGroups:
description: 'Optional: PassOnGroups configures groups to be passed
on before forwarding requests to Shards'
Expand Down
19 changes: 19 additions & 0 deletions sdk/apis/operator/v1alpha1/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,7 @@ type LoggingSpec struct {
Level int `json:"level,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="!(has(self.clientSecret) && has(self.clientSecretRef))",message="Cannot set both clientSecret (deprecated) and clientSecretRef. Use clientSecretRef only."
type OIDCConfiguration struct {
// IssuerURL is used for the OIDC issuer URL. Only https URLs will be accepted.
IssuerURL string `json:"issuerURL"`
Expand All @@ -397,8 +398,15 @@ type OIDCConfiguration struct {

// Optionally provide the client secret for the OIDC client. This is not used by KCP itself, but is used to generate
// a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
// Deprecated: use clientSecretRef instead.
// +optional
ClientSecret string `json:"clientSecret,omitempty"`

// ClientSecretRef references a secret that contains the OIDC client secret.
// The secret must contain a key named "secret" (or the key specified in the key field).
// +optional
ClientSecretRef *OIDCSecretRef `json:"clientSecretRef,omitempty"`

// Experimental: Optionally provides a custom claim for fetching groups. The claim must be a string or an array of strings.
GroupsClaim string `json:"groupsClaim,omitempty"`
// Optionally uses a custom claim for fetching the username. This defaults to "sub" if unset.
Expand All @@ -423,3 +431,14 @@ type OIDCCAFileRef struct {
// +optional
Key string `json:"key,omitempty"`
}

type OIDCSecretRef struct {
// Name is the name of the secret that contains the client secret.
Name string `json:"name"`
// Namespace is the namespace of the secret. If not specified, the secret is assumed to be in the same namespace as the resource.
// +optional
Namespace string `json:"namespace,omitempty"`
Copy link
Contributor

@mjudeikis mjudeikis Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there point having namespace here? Can we refer and use secrets cross-namespaces?

// Key is the key in the secret that contains the client secret. Defaults to "secret".
// +optional
Key string `json:"key,omitempty"`
}
20 changes: 20 additions & 0 deletions sdk/apis/operator/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 17 additions & 8 deletions sdk/applyconfiguration/operator/v1alpha1/oidcconfiguration.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

57 changes: 57 additions & 0 deletions sdk/applyconfiguration/operator/v1alpha1/oidcsecretref.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions sdk/applyconfiguration/utils.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.