DexAuthenticator

Scope: Namespaced

After the DexAuthenticator object appears in the namespace, the following objects will be created:

  • Deployment containig oauth2-proxy and redis containers
  • Service, poining to a Deployment with an oauth2-proxy
  • Ingress, configured to receive requests on https://<applicationDomain>/dex-authenticator and send it to a service side
  • Secrets, needed to access dex

NOTE! After restarting a pod with an oauth2-proxy, the current access token and id token will be queried (using the refresh token) and stored in a redis memory.

  • spec (object)

    Required value.

    • allowedGroups (array of strings)

      Groups that the user should be in to authenticate successfully.

      Additionally, this parameter limits the list of groups that will be put into OIDC token (there will be an intersection of the specified groups and the actual groups of the user).

      Default: All groups are allowed.

    • applicationDomain (string)

      Public domain that points to your application. Must be specified without HTTP scheme.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example: "my-app.domain.com"

      Required value.

    • applicationIngressCertificateSecretName (string)

      Name of TLS-certificate secret specified in your application Ingress object to add to dex authenticator Ingress object for HTTPS access. Secret must be located in the same namespace with DexAuthenticator object.

      Example: "ingress-tls"

    • applicationIngressClassName (string)

      Ingress class that serves your application ingress resource.

      Example: "nginx"

      Required value.

    • keepUsersLoggedInFor (string)

      User session will be kept for specified amount of time even if user will not log in.

      Specified with s, m or h suffix.

      Default: "168h"

      Example: "24h"

    • nodeSelector (object)

      If specified, the dex-authenticator pods nodeSelector.

      If the parameter is omitted or false, it will be determined automatically.

      Pattern: the same as in the pods’ spec.nodeSelector parameter in Kubernetes;

    • sendAuthorizationHeader (boolean)

      Request to application will be sent with “Authorization: Bearer” header when the option is switched to true.

    • tolerations (array of objects)

      If specified, the dex-authenticator pods tolerations.

      The dex-authenticator pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

      If the parameter is omitted or false, it will be determined automatically.

      Pattern: Standard toleration object. Pods inherit this object AS IS.

      • effect (string)

        Effect indicates the taint effect to match. Empty means match all taint effects.

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • key (string)

        Key is the taint key that the toleration applies to. Empty means match all taint keys.

        If the key is empty, operator must be Exists; this combination means to match all values and all keys.

      • operator (string)

        Operator represents a key’s relationship to the value.

        Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

        Default: "Equal"

        Allowed values: Exists, Equal

      • tolerationSeconds (integer)

        TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint.

        By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

      • value (string)

        Value is the taint value the toleration matches to.

        If the operator is Exists, the value should be empty, otherwise just a regular string.

    • whitelistSourceRanges (array of strings)

      CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

      Example: "192.168.42.0/24"

After the DexAuthenticator object appears in the namespace, the following objects will be created:

  • Deployment containig oauth2-proxy and redis containers
  • Service, poining to a Deployment with an oauth2-proxy
  • Ingress, configured to receive requests on https://<applicationDomain>/dex-authenticator and send it to a service side
  • Secrets, needed to access dex

NOTE! After restarting a pod with an oauth2-proxy, the current access token and id token will be queried (using the refresh token) and stored in a redis memory.

  • spec (object)

    Required value.

    • allowedGroups (array of strings)

      Groups that the user should be in to authenticate successfully.

      Additionally, this parameter limits the list of groups that will be put into OIDC token (there will be an intersection of the specified groups and the actual groups of the user).

      Default: All groups are allowed.

    • applicationDomain (string)

      Public domain that points to your application. Must be specified without HTTP scheme.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example: "my-app.domain.com"

      Required value.

    • applicationIngressCertificateSecretName (string)

      Name of TLS-certificate secret specified in your application Ingress object to add to dex authenticator Ingress object for HTTPS access. Secret must be located in the same namespace with DexAuthenticator object.

      Example: "ingress-tls"

    • applicationIngressClassName (string)

      Ingress class that serves your application ingress resource.

      Example: "nginx"

      Required value.

    • keepUsersLoggedInFor (string)

      User session will be kept for specified amount of time even if user will not log in.

      Specified with s, m or h suffix.

      Default: "168h"

      Example: "24h"

    • nodeSelector (object)

      If specified, the dex-authenticator pods nodeSelector.

      If the parameter is omitted or false, it will be determined automatically.

      Pattern: the same as in the pods’ spec.nodeSelector parameter in Kubernetes;

    • sendAuthorizationHeader (boolean)

      Request to application will be sent with “Authorization: Bearer” header when the option is switched to true.

    • tolerations (array of objects)

      If specified, the dex-authenticator pods tolerations.

      The dex-authenticator pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .

      If the parameter is omitted or false, it will be determined automatically.

      Pattern: Standard toleration object. Pods inherit this object AS IS.

      • effect (string)

        Effect indicates the taint effect to match. Empty means match all taint effects.

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • key (string)

        Key is the taint key that the toleration applies to. Empty means match all taint keys.

        If the key is empty, operator must be Exists; this combination means to match all values and all keys.

      • operator (string)

        Operator represents a key’s relationship to the value.

        Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

        Default: "Equal"

        Allowed values: Exists, Equal

      • tolerationSeconds (integer)

        TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint.

        By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

      • value (string)

        Value is the taint value the toleration matches to.

        If the operator is Exists, the value should be empty, otherwise just a regular string.

    • whitelistSourceRanges (array of strings)

      CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

      Example: "192.168.42.0/24"

DexClient

Scope: Namespaced

Allows applications that support DC authentication to interact with dex.

  • spec (object)

    Required value.

    • allowedGroups (array of strings)

      A list of groups whose members are allowed to connect to the client; By default, all groups can connect.

    • redirectURIs (array of strings)

      Array or urls that dex can redirect to after successful authentication.

    • trustedPeers (array of strings)

      OAuth2 client IDs that allowed cross authentication with the current client.

      Details…

Allows applications that support DC authentication to interact with dex.

  • spec (object)

    Required value.

    • allowedGroups (array of strings)

      A list of groups whose members are allowed to connect to the client; By default, all groups can connect.

    • redirectURIs (array of strings)

      Array or urls that dex can redirect to after successful authentication.

    • trustedPeers (array of strings)

      OAuth2 client IDs that allowed cross authentication with the current client.

      Details…

DexProvider

Scope: Cluster

Defines the configuration for connecting a third-party provider. With it, you can flexibly configure the integration of the account directory with Kubernetes.

  • spec (object)

    Required value.

    • bitbucketCloud (object)

      Parameters of the Bitbucket Cloud (intended for the type: BitbucketCloud).

      • clientID (string)

        Team application ID from BitbucketCloud (Key).

        Required value.

      • clientSecret (string)

        Team application secret key from BitbucketCloud.

        Required value.

      • includeTeamGroups (boolean)

        Optional parameter to include team groups.

        If enabled, the groups claim of dex id_token will looks like this:

        ["my_team", "my_team/administrators", "my_team/members"]
        

        Default: false

      • teams (array of strings)

        A list of allowed Bitbucket Cloud commands. The user token will contain a combined set of Bitbucket Cloud commands and commands from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain the user commands in the groups claim (similar to other providers).

    • crowd (object)

      Parameters of the Crowd (intended for the type: Crowd).

      • baseURL (string)

        Base part of Attlassian Crowd URL.

        Example: "https://crowd.example.com/crowd"

        Required value.

      • clientID (string)

        Application ID from Atlassian Crowd (Application Name).

        Required value.

      • clientSecret (string)

        Application secret key from Atlassian Crowd (Password).

        Required value.

      • enableBasicAuth (boolean)

        Enables basic authorization for the Kubernetes API server.

        The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the Crowd type). Works only if the publishAPI is enabled.

        Authorization and group data obtained from Crowd are stored in the cache for 10 seconds.

      • groups (array of strings)

        A list of allowed Crowd groups. The user token will contain a combined set of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain all Crowd groups if the parameter is not set.

      • usernamePrompt (string)

        Prompt for username field.

        Default: "Crowd username"

    • displayName (string)

      The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.

      Required value.

    • github (object)

      Parameters of the GitHub provider (intended for the type: Github case only).

      • clientID (string)

        Organization application ID from GitHub.

        Required value.

      • clientSecret (string)

        Organization application secret key from GitHub.

        Required value.

      • orgs (array of objects)

        Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.

        By default, all organizations allowed.

        • name (string)

          Name of organization.

          Required value.

        • teams (array of strings)

          A lsit of allowed GitHub commands. The user token will contain a combined set of commands from GitHub and commands from this list. If the set is empty, the authorization will be considered unsuccessful.

          The user token will contain all GitHub commands if the parameter is not set.

      • teamNameField (string)

        As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:

        • [‘acme:Site Reliability Engineers’] for ‘Name’
        • [‘acme:site-reliability-engineers’] for ‘Slug’
        • [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘Both’

        ‘name’ will be used by default.

        Default: "Name"

        Allowed values: Name, Slug, Both

      • useLoginAsID (boolean)

        Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

        Equals to false by default.

    • gitlab (object)

      Parameters of the GitLab provider (intended for the type: Gitlab case only).

      • baseURL (string)

        Base part of GitLab URL.

        Example: "https://gitlab.example.com"

      • clientID (string)

        Application ID from GitLab.

        Required value.

      • clientSecret (string)

        Application secret key from GitLab.

        Required value.

      • groups (array of strings)

        A list of allowed GitLab groups (group paths and not names). The user token will contain a combined set of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain all GitLab groups if the parameter is not set;

      • useLoginAsID (boolean)

        Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

        Equals to false by default.

    • ldap (object)

      Parameters of the LDAP.

      • bindDN (string)

        The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.

        Example: "uid=serviceaccount,cn=users,dc=example,dc=com"

      • bindPW (string)

        Password for read-only service account. Please note that if the bind password contains a $, it has to be saved in an environment variable which should be given as the value to bindPW.

        Example: "password"

      • groupSearch (object)

        Group search queries for groups given a user entry. Details

        • baseDN (string)

          BaseDN to start the search from.

          Example: "cn=users,dc=example,dc=com"

          Required value.

        • filter (string)

          Optional filter to apply when searching the directory.

          Example: "(objectClass=person)"

        • nameAttr (string)

          Represents group name.

          Example: "name"

          Required value.

        • userMatchers (array of objects)

          Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.

          Required value.

          • groupAttr (string)

            The name of the attribute that stores the group member names.

            Example: "member"

            Required value.

          • userAttr (string)

            The name of the attribute that stores the user name.

            Example: "uid"

            Required value.

      • host (string)

        Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.

        Example: "ldap.example.com:636"

        Required value.

      • insecureNoSSL (boolean)

        Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as dex. Equals to false by default.

        Default: false

      • insecureSkipVerify (boolean)

        If a custom certificate isn’t provided, this option can be used to turn on TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.

        Default: false

      • rootCAData (string)

        A raw certificate file can also be provided inline.

        Example:

        -----BEGIN CERTIFICATE-----
        MIIFaDC...
        -----END CERTIFICATE-----
        
      • startTLS (boolean)

        When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol

        Default: false

      • userSearch (object)

        User search maps a username and password entered by a user to a LDAP entry. Details…

        Required value.

        • baseDN (string)

          BaseDN to start the search from.

          Example: "cn=users,dc=example,dc=com"

          Required value.

        • emailAttr (string)

          LDAP attribute that will be matched to dex user email entry. When an email address is not available, use another value unique to the user, like uid.

          Example: "mail"

          Required value.

        • filter (string)

          Optional filter to apply when searching the directory.

          Example: "(objectClass=person)"

        • idAttr (string)

          LDAP attribute that will be matched to dex user id entry.

          Example: "uid"

          Required value.

        • nameAttr (string)

          LDAP attribute that will be matched to dex user name entry. No default value provided.

          Example: "name"

        • username (string)

          Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(=)".

          Example: "uid"

          Required value.

      • usernamePrompt (string)

        The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.

        Default: "LDAP username"

        Example: "SSO Username"

    • oidc (object)

      Parameters of the OIDC (intended for the type: OIDC).

      • basicAuthUnsupported (boolean)

        Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, dex automatically determines the type of request to make, while in some cases enabling this parameter can help.

        Default: false

      • clientID (string)

        OIDC issuer application ID.

        Required value.

      • clientSecret (string)

        OIDC issuer application secret key.

        Required value.

      • getUserInfo (boolean)

        Request additional info about the authenticated user.

        Learn more here

        Default: false

      • insecureSkipEmailVerified (boolean)

        Allow authentication for clients without verified email address.

        Default: false

      • issuer (string)

        Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.

        Example: "https://accounts.google.com"

        Required value.

      • promptType (string)

        Determines if the Issuer should ask for confirmation and provide hints during the authentication process.

        By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.

        Default: "consent"

      • scopes (array of strings)

        List of additional scopes to request in token response.

        Default: ["openid","profile","email","groups","offline_access"]

      • userIDKey (string)

        The claim to use as the user id.

        Default: "sub"

      • userNameKey (string)

        The claim to use as the user name.

        Default: "name"

    • type (string)

      Type of authentication provider.

      Allowed values: Github, Gitlab, BitbucketCloud, Crowd, OIDC, LDAP

      Required value.

Defines the configuration for connecting a third-party provider. With it, you can flexibly configure the integration of the account directory with Kubernetes.

  • spec (object)

    Required value.

    • bitbucketCloud (object)

      Parameters of the Bitbucket Cloud (intended for the type: BitbucketCloud).

      • clientID (string)

        Team application ID from BitbucketCloud (Key).

        Required value.

      • clientSecret (string)

        Team application secret key from BitbucketCloud.

        Required value.

      • includeTeamGroups (boolean)

        Optional parameter to include team groups.

        If enabled, the groups claim of dex id_token will looks like this:

        ["my_team", "my_team/administrators", "my_team/members"]
        

        Default: false

      • teams (array of strings)

        A list of allowed Bitbucket Cloud commands. The user token will contain a combined set of Bitbucket Cloud commands and commands from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain the user commands in the groups claim (similar to other providers).

    • crowd (object)

      Parameters of the Crowd (intended for the type: Crowd).

      • baseURL (string)

        Base part of Attlassian Crowd URL.

        Example: "https://crowd.example.com/crowd"

        Required value.

      • clientID (string)

        Application ID from Atlassian Crowd (Application Name).

        Required value.

      • clientSecret (string)

        Application secret key from Atlassian Crowd (Password).

        Required value.

      • enableBasicAuth (boolean)

        Enables basic authorization for the Kubernetes API server.

        The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the Crowd type). Works only if the publishAPI is enabled.

        Authorization and group data obtained from Crowd are stored in the cache for 10 seconds.

      • groups (array of strings)

        A list of allowed Crowd groups. The user token will contain a combined set of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain all Crowd groups if the parameter is not set.

      • usernamePrompt (string)

        Prompt for username field.

        Default: "Crowd username"

    • displayName (string)

      The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.

      Required value.

    • github (object)

      Parameters of the GitHub provider (intended for the type: Github case only).

      • clientID (string)

        Organization application ID from GitHub.

        Required value.

      • clientSecret (string)

        Organization application secret key from GitHub.

        Required value.

      • orgs (array of objects)

        Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.

        By default, all organizations allowed.

        • name (string)

          Name of organization.

          Required value.

        • teams (array of strings)

          A lsit of allowed GitHub commands. The user token will contain a combined set of commands from GitHub and commands from this list. If the set is empty, the authorization will be considered unsuccessful.

          The user token will contain all GitHub commands if the parameter is not set.

      • teamNameField (string)

        As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:

        • [‘acme:Site Reliability Engineers’] for ‘name’
        • [‘acme:site-reliability-engineers’] for ‘slug’
        • [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘both’

        ‘name’ will be used by default.

        Default: "name"

        Allowed values: name, slug, both

      • useLoginAsID (boolean)

        Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

        Equals to false by default.

    • gitlab (object)

      Parameters of the GitLab provider (intended for the type: Gitlab case only).

      • baseURL (string)

        Base part of GitLab URL.

        Example: "https://gitlab.example.com"

      • clientID (string)

        Application ID from GitLab.

        Required value.

      • clientSecret (string)

        Application secret key from GitLab.

        Required value.

      • groups (array of strings)

        A list of allowed GitLab groups (group paths and not names). The user token will contain a combined set of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain all GitLab groups if the parameter is not set;

      • useLoginAsID (boolean)

        Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

        Equals to false by default.

    • ldap (object)

      Parameters of the LDAP.

      • bindDN (string)

        The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.

        Example: "uid=serviceaccount,cn=users,dc=example,dc=com"

      • bindPW (string)

        Password for read-only service account. Please note that if the bind password contains a $, it has to be saved in an environment variable which should be given as the value to bindPW.

        Example: "password"

      • groupSearch (object)

        Group search queries for groups given a user entry. Details

        • baseDN (string)

          BaseDN to start the search from.

          Example: "cn=users,dc=example,dc=com"

          Required value.

        • filter (string)

          Optional filter to apply when searching the directory.

          Example: "(objectClass=person)"

        • nameAttr (string)

          Represents group name.

          Example: "name"

          Required value.

        • userMatchers (array of objects)

          Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.

          Required value.

          • groupAttr (string)

            The name of the attribute that stores the group member names.

            Example: "member"

            Required value.

          • userAttr (string)

            The name of the attribute that stores the user name.

            Example: "uid"

            Required value.

      • host (string)

        Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.

        Example: "ldap.example.com:636"

        Required value.

      • insecureNoSSL (boolean)

        Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as dex. Equals to false by default.

        Default: false

      • insecureSkipVerify (boolean)

        If a custom certificate isn’t provided, this option can be used to turn on TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.

        Default: false

      • rootCAData (string)

        A raw certificate file can also be provided inline.

        Example:

        -----BEGIN CERTIFICATE-----
        MIIFaDC...
        -----END CERTIFICATE-----
        
      • startTLS (boolean)

        When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol

        Default: false

      • userSearch (object)

        User search maps a username and password entered by a user to a LDAP entry. Details…

        Required value.

        • baseDN (string)

          BaseDN to start the search from.

          Example: "cn=users,dc=example,dc=com"

          Required value.

        • emailAttr (string)

          LDAP attribute that will be matched to dex user email entry. When an email address is not available, use another value unique to the user, like uid.

          Example: "mail"

          Required value.

        • filter (string)

          Optional filter to apply when searching the directory.

          Example: "(objectClass=person)"

        • idAttr (string)

          LDAP attribute that will be matched to dex user id entry.

          Example: "uid"

          Required value.

        • nameAttr (string)

          LDAP attribute that will be matched to dex user name entry. No default value provided.

          Example: "name"

        • username (string)

          Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(=)".

          Example: "uid"

          Required value.

      • usernamePrompt (string)

        The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.

        Default: "LDAP username"

        Example: "SSO Username"

    • oidc (object)

      Parameters of the OIDC (intended for the type: OIDC).

      • basicAuthUnsupported (boolean)

        Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, dex automatically determines the type of request to make, while in some cases enabling this parameter can help.

        Default: false

      • clientID (string)

        OIDC issuer application ID.

        Required value.

      • clientSecret (string)

        OIDC issuer application secret key.

        Required value.

      • getUserInfo (boolean)

        Request additional info about the authenticated user.

        Learn more here

        Default: false

      • insecureSkipEmailVerified (boolean)

        Allow authentication for clients without verified email address.

        Default: false

      • issuer (string)

        Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.

        Example: "https://accounts.google.com"

        Required value.

      • promptType (string)

        Determines if the Issuer should ask for confirmation and provide hints during the authentication process.

        By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.

        Default: "consent"

      • scopes (array of strings)

        List of additional scopes to request in token response.

        Default: ["openid","profile","email","groups","offline_access"]

      • userIDKey (string)

        The claim to use as the user id.

        Default: "sub"

      • userNameKey (string)

        The claim to use as the user name.

        Default: "name"

    • type (string)

      Type of authentication provider.

      Allowed values: Github, Gitlab, BitbucketCloud, Crowd, OIDC, LDAP

      Required value.

User

Scope: Cluster

Contains information about the static user.

  • spec (object)

    Required value.

    • email (string)

      User E-mail.

      Caution! Note that if used together with the user-authz module, you must specify an email to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.

      Example: "user@domain.com"

      Required value.

    • groups (array of strings)

      Static user groups.

    • password (string)

      Hashed user password.

      You can use the following command to encrypt the user password: echo "$password" | htpasswd -inBC 10 "" | tr -d ':\n' | sed 's/$2y/$2a/'. Also, you can use the online service.

      Example: "$2a$10$F9ey7zW.sVliT224RFxpWeMsgzO.D9YRG54a8T36/K2MCiT41nzmC"

      Required value.

    • ttl (string)

      Static user TTL.

      • It is specified as a string containing the time unit: 30m, 1h, 24h. Either in minutes or hours.
      • You can only set the TTL once. The expireAt date will not be updated if you change it again.

      Pattern: ^\d+(?:m|h)$

      Example: "24h"

    • userID (string)

      Unique issuer user ID. It equals to .metadata.name by default.

      Example: "08a8684b-db88-4b73-90a9-3cd1661f5466"

Contains information about the static user.

  • spec (object)

    Required value.

    • email (string)

      User E-mail.

      Caution! Note that if used together with the user-authz module, you must specify an email to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.

      Example: "user@domain.com"

      Required value.

    • groups (array of strings)

      Static user groups.

    • password (string)

      Hashed user password.

      You can use the following command to encrypt the user password: echo "$password" | htpasswd -inBC 10 "" | tr -d ':\n' | sed 's/$2y/$2a/'. Also, you can use the online service.

      Example: "$2a$10$F9ey7zW.sVliT224RFxpWeMsgzO.D9YRG54a8T36/K2MCiT41nzmC"

      Required value.

    • ttl (string)

      Static user TTL.

      • It is specified as a string containing the time unit: 30m, 1h, 24h. Either in minutes or hours.
      • You can only set the TTL once. The expireAt date will not be updated if you change it again.

      Pattern: ^\d+(?:m|h)$

      Example: "24h"

    • userID (string)

      Unique issuer user ID. It equals to .metadata.name by default.

      Example: "08a8684b-db88-4b73-90a9-3cd1661f5466"