Skip to content

Commit b31f5ca

Browse files
bkhizgiycursoragent
andcommitted
feat: add Secret/ConfigMap references for JWT CA certificates
Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com> Assisted-by: Claude Sonnet 4.6 <claude@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent c141332 commit b31f5ca

8 files changed

Lines changed: 1175 additions & 41 deletions

File tree

controller/deploy/operator/api/v1alpha1/jumpstarter_types.go

Lines changed: 64 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -360,13 +360,76 @@ type AuthenticationConfig struct {
360360
// JWT authentication configuration.
361361
// Enables authentication using external JWT tokens from OIDC providers.
362362
// Supports multiple JWT authenticators for different identity providers.
363-
JWT []apiserverv1beta1.JWTAuthenticator `json:"jwt,omitempty"`
363+
// Each entry may optionally reference a CA certificate from a Kubernetes
364+
// Secret or ConfigMap instead of inlining the PEM content.
365+
JWT []JWTAuthenticatorConfig `json:"jwt,omitempty"`
364366

365367
// Automatic user provisioning configuration, this is useful for creating
366368
// users authenticated by external identity providers in Jumpstarter.
367369
AutoProvisioning AutoProvisioningConfig `json:"autoProvisioning,omitempty"`
368370
}
369371

372+
// JWTAuthenticatorConfig extends the standard Kubernetes JWTAuthenticator with
373+
// support for referencing CA certificates from Kubernetes Secrets or ConfigMaps.
374+
// The operator resolves the reference at reconcile time and injects the PEM content
375+
// into the controller ConfigMap, so CA rotations are picked up automatically.
376+
type JWTAuthenticatorConfig struct {
377+
apiserverv1beta1.JWTAuthenticator `json:",inline"`
378+
379+
// CertificateAuthoritySecret references a Kubernetes Secret containing the CA
380+
// certificate PEM for the OIDC issuer. The operator reads the specified key and
381+
// injects the PEM content as the certificateAuthority for this authenticator.
382+
// When the Secret changes, the operator reconciles and updates the ConfigMap.
383+
// Takes precedence over CertificateAuthorityConfigMap when both are set.
384+
// +optional
385+
CertificateAuthoritySecret *SecretKeySelector `json:"certificateAuthoritySecret,omitempty"`
386+
387+
// CertificateAuthorityConfigMap references a Kubernetes ConfigMap containing the
388+
// CA certificate PEM for the OIDC issuer. The operator reads the specified key and
389+
// injects the PEM content as the certificateAuthority for this authenticator.
390+
// When the ConfigMap changes, the operator reconciles and updates the ConfigMap.
391+
// +optional
392+
CertificateAuthorityConfigMap *ConfigMapKeySelector `json:"certificateAuthorityConfigMap,omitempty"`
393+
}
394+
395+
// SecretKeySelector references a key within a Kubernetes Secret.
396+
type SecretKeySelector struct {
397+
// Name of the Secret containing the CA certificate.
398+
// +kubebuilder:validation:Required
399+
// +kubebuilder:validation:MinLength=1
400+
Name string `json:"name"`
401+
402+
// Namespace of the Secret. Defaults to the namespace of the Jumpstarter CR.
403+
// Cross-namespace references are allowed so that cluster-level CA secrets
404+
// (e.g. openshift-ingress-operator/router-ca) can be consumed directly.
405+
// +optional
406+
Namespace string `json:"namespace,omitempty"`
407+
408+
// Key within the Secret that holds the PEM-encoded CA certificate.
409+
// +kubebuilder:validation:Required
410+
// +kubebuilder:validation:MinLength=1
411+
Key string `json:"key"`
412+
}
413+
414+
// ConfigMapKeySelector references a key within a Kubernetes ConfigMap.
415+
type ConfigMapKeySelector struct {
416+
// Name of the ConfigMap containing the CA certificate.
417+
// +kubebuilder:validation:Required
418+
// +kubebuilder:validation:MinLength=1
419+
Name string `json:"name"`
420+
421+
// Namespace of the ConfigMap. Defaults to the namespace of the Jumpstarter CR.
422+
// Cross-namespace references are allowed so that cluster-level CA ConfigMaps
423+
// (e.g. kube-root-ca.crt) can be consumed directly.
424+
// +optional
425+
Namespace string `json:"namespace,omitempty"`
426+
427+
// Key within the ConfigMap that holds the PEM-encoded CA certificate.
428+
// +kubebuilder:validation:Required
429+
// +kubebuilder:validation:MinLength=1
430+
Key string `json:"key"`
431+
}
432+
370433
// AutoProvisioningConfig defines auto provisioning configuration.
371434
type AutoProvisioningConfig struct {
372435
// Enable auto provisioning.

controller/deploy/operator/api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 57 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

controller/deploy/operator/config/crd/bases/operator.jumpstarter.dev_jumpstarters.yaml

Lines changed: 61 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,10 +92,69 @@ spec:
9292
JWT authentication configuration.
9393
Enables authentication using external JWT tokens from OIDC providers.
9494
Supports multiple JWT authenticators for different identity providers.
95+
Each entry may optionally reference a CA certificate from a Kubernetes
96+
Secret or ConfigMap instead of inlining the PEM content.
9597
items:
96-
description: JWTAuthenticator provides the configuration for
97-
a single JWT authenticator.
98+
description: |-
99+
JWTAuthenticatorConfig extends the standard Kubernetes JWTAuthenticator with
100+
support for referencing CA certificates from Kubernetes Secrets or ConfigMaps.
101+
The operator resolves the reference at reconcile time and injects the PEM content
102+
into the controller ConfigMap, so CA rotations are picked up automatically.
98103
properties:
104+
certificateAuthorityConfigMap:
105+
description: |-
106+
CertificateAuthorityConfigMap references a Kubernetes ConfigMap containing the
107+
CA certificate PEM for the OIDC issuer. The operator reads the specified key and
108+
injects the PEM content as the certificateAuthority for this authenticator.
109+
When the ConfigMap changes, the operator reconciles and updates the ConfigMap.
110+
properties:
111+
key:
112+
description: Key within the ConfigMap that holds the
113+
PEM-encoded CA certificate.
114+
minLength: 1
115+
type: string
116+
name:
117+
description: Name of the ConfigMap containing the CA
118+
certificate.
119+
minLength: 1
120+
type: string
121+
namespace:
122+
description: |-
123+
Namespace of the ConfigMap. Defaults to the namespace of the Jumpstarter CR.
124+
Cross-namespace references are allowed so that cluster-level CA ConfigMaps
125+
(e.g. kube-root-ca.crt) can be consumed directly.
126+
type: string
127+
required:
128+
- key
129+
- name
130+
type: object
131+
certificateAuthoritySecret:
132+
description: |-
133+
CertificateAuthoritySecret references a Kubernetes Secret containing the CA
134+
certificate PEM for the OIDC issuer. The operator reads the specified key and
135+
injects the PEM content as the certificateAuthority for this authenticator.
136+
When the Secret changes, the operator reconciles and updates the ConfigMap.
137+
Takes precedence over CertificateAuthorityConfigMap when both are set.
138+
properties:
139+
key:
140+
description: Key within the Secret that holds the PEM-encoded
141+
CA certificate.
142+
minLength: 1
143+
type: string
144+
name:
145+
description: Name of the Secret containing the CA certificate.
146+
minLength: 1
147+
type: string
148+
namespace:
149+
description: |-
150+
Namespace of the Secret. Defaults to the namespace of the Jumpstarter CR.
151+
Cross-namespace references are allowed so that cluster-level CA secrets
152+
(e.g. openshift-ingress-operator/router-ca) can be consumed directly.
153+
type: string
154+
required:
155+
- key
156+
- name
157+
type: object
99158
claimMappings:
100159
description: claimMappings points claims of a token to be
101160
treated as user attributes.

0 commit comments

Comments
 (0)