@@ -360,13 +360,76 @@ type AuthenticationConfig struct {
360360 // JWT authentication configuration.
361361 // Enables authentication using external JWT tokens from OIDC providers.
362362 // Supports multiple JWT authenticators for different identity providers.
363- JWT []apiserverv1beta1.JWTAuthenticator `json:"jwt,omitempty"`
363+ // Each entry may optionally reference a CA certificate from a Kubernetes
364+ // Secret or ConfigMap instead of inlining the PEM content.
365+ JWT []JWTAuthenticatorConfig `json:"jwt,omitempty"`
364366
365367 // Automatic user provisioning configuration, this is useful for creating
366368 // users authenticated by external identity providers in Jumpstarter.
367369 AutoProvisioning AutoProvisioningConfig `json:"autoProvisioning,omitempty"`
368370}
369371
372+ // JWTAuthenticatorConfig extends the standard Kubernetes JWTAuthenticator with
373+ // support for referencing CA certificates from Kubernetes Secrets or ConfigMaps.
374+ // The operator resolves the reference at reconcile time and injects the PEM content
375+ // into the controller ConfigMap, so CA rotations are picked up automatically.
376+ type JWTAuthenticatorConfig struct {
377+ apiserverv1beta1.JWTAuthenticator `json:",inline"`
378+
379+ // CertificateAuthoritySecret references a Kubernetes Secret containing the CA
380+ // certificate PEM for the OIDC issuer. The operator reads the specified key and
381+ // injects the PEM content as the certificateAuthority for this authenticator.
382+ // When the Secret changes, the operator reconciles and updates the ConfigMap.
383+ // Takes precedence over CertificateAuthorityConfigMap when both are set.
384+ // +optional
385+ CertificateAuthoritySecret * SecretKeySelector `json:"certificateAuthoritySecret,omitempty"`
386+
387+ // CertificateAuthorityConfigMap references a Kubernetes ConfigMap containing the
388+ // CA certificate PEM for the OIDC issuer. The operator reads the specified key and
389+ // injects the PEM content as the certificateAuthority for this authenticator.
390+ // When the ConfigMap changes, the operator reconciles and updates the ConfigMap.
391+ // +optional
392+ CertificateAuthorityConfigMap * ConfigMapKeySelector `json:"certificateAuthorityConfigMap,omitempty"`
393+ }
394+
395+ // SecretKeySelector references a key within a Kubernetes Secret.
396+ type SecretKeySelector struct {
397+ // Name of the Secret containing the CA certificate.
398+ // +kubebuilder:validation:Required
399+ // +kubebuilder:validation:MinLength=1
400+ Name string `json:"name"`
401+
402+ // Namespace of the Secret. Defaults to the namespace of the Jumpstarter CR.
403+ // Cross-namespace references are allowed so that cluster-level CA secrets
404+ // (e.g. openshift-ingress-operator/router-ca) can be consumed directly.
405+ // +optional
406+ Namespace string `json:"namespace,omitempty"`
407+
408+ // Key within the Secret that holds the PEM-encoded CA certificate.
409+ // +kubebuilder:validation:Required
410+ // +kubebuilder:validation:MinLength=1
411+ Key string `json:"key"`
412+ }
413+
414+ // ConfigMapKeySelector references a key within a Kubernetes ConfigMap.
415+ type ConfigMapKeySelector struct {
416+ // Name of the ConfigMap containing the CA certificate.
417+ // +kubebuilder:validation:Required
418+ // +kubebuilder:validation:MinLength=1
419+ Name string `json:"name"`
420+
421+ // Namespace of the ConfigMap. Defaults to the namespace of the Jumpstarter CR.
422+ // Cross-namespace references are allowed so that cluster-level CA ConfigMaps
423+ // (e.g. kube-root-ca.crt) can be consumed directly.
424+ // +optional
425+ Namespace string `json:"namespace,omitempty"`
426+
427+ // Key within the ConfigMap that holds the PEM-encoded CA certificate.
428+ // +kubebuilder:validation:Required
429+ // +kubebuilder:validation:MinLength=1
430+ Key string `json:"key"`
431+ }
432+
370433// AutoProvisioningConfig defines auto provisioning configuration.
371434type AutoProvisioningConfig struct {
372435 // Enable auto provisioning.
0 commit comments