Skip to content

Commit c17be38

Browse files
committed
feat: add Secret/ConfigMap references for JWT CA certificates
Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com> Assisted-by: Claude Sonnet 4.6 <claude@anthropic.com>
1 parent c6b0748 commit c17be38

9 files changed

Lines changed: 1195 additions & 43 deletions

File tree

controller/deploy/operator/api/v1alpha1/jumpstarter_types.go

Lines changed: 55 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -360,13 +360,67 @@ type AuthenticationConfig struct {
360360
// JWT authentication configuration.
361361
// Enables authentication using external JWT tokens from OIDC providers.
362362
// Supports multiple JWT authenticators for different identity providers.
363-
JWT []apiserverv1beta1.JWTAuthenticator `json:"jwt,omitempty"`
363+
// Each entry may optionally reference a CA certificate from a Kubernetes
364+
// Secret or ConfigMap instead of inlining the PEM content.
365+
JWT []JWTAuthenticatorConfig `json:"jwt,omitempty"`
364366

365367
// Automatic user provisioning configuration, this is useful for creating
366368
// users authenticated by external identity providers in Jumpstarter.
367369
AutoProvisioning AutoProvisioningConfig `json:"autoProvisioning,omitempty"`
368370
}
369371

372+
// JWTAuthenticatorConfig extends the standard Kubernetes JWTAuthenticator with
373+
// support for referencing CA certificates from Kubernetes Secrets or ConfigMaps.
374+
// The operator resolves the reference at reconcile time and injects the PEM content
375+
// into the controller ConfigMap, so CA rotations are picked up automatically.
376+
type JWTAuthenticatorConfig struct {
377+
apiserverv1beta1.JWTAuthenticator `json:",inline"`
378+
379+
// CertificateAuthoritySecret references a Kubernetes Secret containing the CA
380+
// certificate PEM for the OIDC issuer. The operator reads the specified key and
381+
// injects the PEM content as the certificateAuthority for this authenticator.
382+
// When the Secret changes, the operator reconciles and updates the ConfigMap.
383+
// Takes precedence over CertificateAuthorityConfigMap when both are set.
384+
// +optional
385+
CertificateAuthoritySecret *SecretKeySelector `json:"certificateAuthoritySecret,omitempty"`
386+
387+
// CertificateAuthorityConfigMap references a Kubernetes ConfigMap containing the
388+
// CA certificate PEM for the OIDC issuer. The operator reads the specified key and
389+
// injects the PEM content as the certificateAuthority for this authenticator.
390+
// When the ConfigMap changes, the operator reconciles and updates the ConfigMap.
391+
// +optional
392+
CertificateAuthorityConfigMap *ConfigMapKeySelector `json:"certificateAuthorityConfigMap,omitempty"`
393+
}
394+
395+
// SecretKeySelector references a key within a Kubernetes Secret.
396+
type SecretKeySelector struct {
397+
// Name of the Secret containing the CA certificate.
398+
// +kubebuilder:validation:Required
399+
// +kubebuilder:validation:MinLength=1
400+
Name string `json:"name"`
401+
402+
// Key within the Secret that holds the PEM-encoded CA certificate.
403+
// Defaults to "tls.crt", which is the standard key used by cert-manager.
404+
// +kubebuilder:default=tls.crt
405+
// +optional
406+
Key string `json:"key,omitempty"`
407+
}
408+
409+
// ConfigMapKeySelector references a key within a Kubernetes ConfigMap.
410+
type ConfigMapKeySelector struct {
411+
// Name of the ConfigMap containing the CA certificate.
412+
// +kubebuilder:validation:Required
413+
// +kubebuilder:validation:MinLength=1
414+
Name string `json:"name"`
415+
416+
// Key within the ConfigMap that holds the PEM-encoded CA certificate.
417+
// Defaults to "ca.crt", which is the standard key used by kube-root-ca.crt
418+
// and cert-manager CA bundles.
419+
// +kubebuilder:default=ca.crt
420+
// +optional
421+
Key string `json:"key,omitempty"`
422+
}
423+
370424
// AutoProvisioningConfig defines auto provisioning configuration.
371425
type AutoProvisioningConfig struct {
372426
// Enable auto provisioning.

controller/deploy/operator/api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 57 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

controller/deploy/operator/config/crd/bases/operator.jumpstarter.dev_jumpstarters.yaml

Lines changed: 50 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,10 +92,58 @@ spec:
9292
JWT authentication configuration.
9393
Enables authentication using external JWT tokens from OIDC providers.
9494
Supports multiple JWT authenticators for different identity providers.
95+
Each entry may optionally reference a CA certificate from a Kubernetes
96+
Secret or ConfigMap instead of inlining the PEM content.
9597
items:
96-
description: JWTAuthenticator provides the configuration for
97-
a single JWT authenticator.
98+
description: |-
99+
JWTAuthenticatorConfig extends the standard Kubernetes JWTAuthenticator with
100+
support for referencing CA certificates from Kubernetes Secrets or ConfigMaps.
101+
The operator resolves the reference at reconcile time and injects the PEM content
102+
into the controller ConfigMap, so CA rotations are picked up automatically.
98103
properties:
104+
certificateAuthorityConfigMap:
105+
description: |-
106+
CertificateAuthorityConfigMap references a Kubernetes ConfigMap containing the
107+
CA certificate PEM for the OIDC issuer. The operator reads the specified key and
108+
injects the PEM content as the certificateAuthority for this authenticator.
109+
When the ConfigMap changes, the operator reconciles and updates the ConfigMap.
110+
properties:
111+
key:
112+
default: ca.crt
113+
description: |-
114+
Key within the ConfigMap that holds the PEM-encoded CA certificate.
115+
Defaults to "ca.crt", which is the standard key used by kube-root-ca.crt
116+
and cert-manager CA bundles.
117+
type: string
118+
name:
119+
description: Name of the ConfigMap containing the CA
120+
certificate.
121+
minLength: 1
122+
type: string
123+
required:
124+
- name
125+
type: object
126+
certificateAuthoritySecret:
127+
description: |-
128+
CertificateAuthoritySecret references a Kubernetes Secret containing the CA
129+
certificate PEM for the OIDC issuer. The operator reads the specified key and
130+
injects the PEM content as the certificateAuthority for this authenticator.
131+
When the Secret changes, the operator reconciles and updates the ConfigMap.
132+
Takes precedence over CertificateAuthorityConfigMap when both are set.
133+
properties:
134+
key:
135+
default: tls.crt
136+
description: |-
137+
Key within the Secret that holds the PEM-encoded CA certificate.
138+
Defaults to "tls.crt", which is the standard key used by cert-manager.
139+
type: string
140+
name:
141+
description: Name of the Secret containing the CA certificate.
142+
minLength: 1
143+
type: string
144+
required:
145+
- name
146+
type: object
99147
claimMappings:
100148
description: claimMappings points claims of a token to be
101149
treated as user attributes.

0 commit comments

Comments
 (0)