@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
33kind : CustomResourceDefinition
44metadata :
55 annotations :
6- controller-gen.kubebuilder.io/version : v0.15 .0
6+ controller-gen.kubebuilder.io/version : v0.18 .0
77 name : mongodb.mongodb.com
88spec :
99 group : mongodb.com
@@ -1423,9 +1423,7 @@ spec:
14231423 This field is effectively required, but due to backwards compatibility is
14241424 allowed to be empty. Instances of this type with an empty value here are
14251425 almost certainly wrong.
1426- TODO: Add other useful fields. apiVersion, kind, uid?
14271426 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1428- TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
14291427type : string
14301428 optional :
14311429 description : Specify whether the Secret or its key
@@ -1482,9 +1480,7 @@ spec:
14821480 This field is effectively required, but due to backwards compatibility is
14831481 allowed to be empty. Instances of this type with an empty value here are
14841482 almost certainly wrong.
1485- TODO: Add other useful fields. apiVersion, kind, uid?
14861483 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1487- TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
14881484type : string
14891485 optional :
14901486 description : Specify whether the ConfigMap or its
@@ -1521,8 +1517,83 @@ spec:
15211517 - MONGODB-CR
15221518 - SCRAM-SHA-256
15231519 - LDAP
1520+ - OIDC
15241521 type : string
15251522 type : array
1523+ oidcProviderConfigs :
1524+ description : Configuration for OIDC providers
1525+ items :
1526+ properties :
1527+ audience :
1528+ description : |-
1529+ Entity that your external identity provider intends the token for.
1530+ Enter the audience value from the app you registered with external Identity Provider.
1531+ type : string
1532+ authorizationMethod :
1533+ description : |-
1534+ Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
1535+ For programmatic, application access to deployments use Workload Identity Federation.
1536+ Only one Workforce Identity Federation IdP can be configured per MongoDB resource
1537+ enum :
1538+ - WorkforceIdentityFederation
1539+ - WorkloadIdentityFederation
1540+ type : string
1541+ authorizationType :
1542+ description : |-
1543+ Select GroupMembership to grant authorization based on IdP user group membership, or select UserID to grant
1544+ an individual user authorization.
1545+ enum :
1546+ - GroupMembership
1547+ - UserID
1548+ type : string
1549+ clientId :
1550+ description : |-
1551+ Unique identifier for your registered application. Enter the clientId value from the app you
1552+ registered with an external Identity Provider.
1553+ Required when selected Workforce Identity Federation authorization method
1554+ type : string
1555+ configurationName :
1556+ description : |-
1557+ Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
1558+ - alphanumeric characters (combination of a to z and 0 to 9)
1559+ - hyphens (-)
1560+ - underscores (_)
1561+ pattern : ^[a-zA-Z0-9-_]+$
1562+ type : string
1563+ groupsClaim :
1564+ description : |-
1565+ The identifier of the claim that includes the principal's IdP user group membership information.
1566+ Required when selected GroupMembership as the authorization type, ignored otherwise
1567+ type : string
1568+ issuerURI :
1569+ description : |-
1570+ Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
1571+ Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
1572+ For MongoDB 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
1573+ For other MongoDB versions, the issuerURI itself must be unique.
1574+ type : string
1575+ requestedScopes :
1576+ description : |-
1577+ Tokens that give users permission to request data from the authorization endpoint.
1578+ Only used for Workforce Identity Federation authorization method
1579+ items :
1580+ type : string
1581+ type : array
1582+ userClaim :
1583+ default : sub
1584+ description : |-
1585+ The identifier of the claim that includes the user principal identity.
1586+ Accept the default value unless your IdP uses a different claim.
1587+ type : string
1588+ required :
1589+ - audience
1590+ - authorizationMethod
1591+ - authorizationType
1592+ - configurationName
1593+ - issuerURI
1594+ - userClaim
1595+ type : object
1596+ type : array
15261597 requireClientTLSAuthentication :
15271598 description : Clients should present valid TLS certificates
15281599 type : boolean
@@ -1531,6 +1602,20 @@ spec:
15311602 type : object
15321603 certsSecretPrefix :
15331604 type : string
1605+ roleRefs :
1606+ items :
1607+ properties :
1608+ kind :
1609+ enum :
1610+ - ClusterMongoDBRole
1611+ type : string
1612+ name :
1613+ type : string
1614+ required :
1615+ - kind
1616+ - name
1617+ type : object
1618+ type : array
15341619 roles :
15351620 items :
15361621 properties :
@@ -1610,6 +1695,10 @@ spec:
16101695type : boolean
16111696 type : object
16121697 type : object
1698+ x-kubernetes-validations :
1699+ - message : At most one of roles or roleRefs can be non-empty
1700+ rule : ' !(has(self.roles) && has(self.roleRefs)) || !(self.roles.size()
1701+ > 0 && self.roleRefs.size() > 0)'
16131702 service :
16141703 description : |-
16151704 DEPRECATED please use `spec.statefulSet.spec.serviceName` to provide a custom service name.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments