@@ -4,10 +4,15 @@ Jumpstarter uses internally issued JWT tokens to authenticate clients and
44exporters by default. You can also configure Jumpstarter to use external OpenID
55Connect (OIDC) providers.
66
7+ When installing with the operator, authentication is configured directly on the
8+ ` Jumpstarter ` custom resource, under ` spec.authentication ` .
9+
10+ For operator installation context, see
11+ [ Install with Operator] ( ../installation/service/service-operator.md ) .
12+
713To use OIDC with your Jumpstarter installation:
814
9- 1 . Set the helm value ` jumpstarter-controller.authenticationConfiguration ` to a
10- valid ` AuthenticationConfiguration ` yaml configuration
15+ 1 . Set ` spec.authentication.jwt ` on your ` Jumpstarter ` resource
11162 . Configure your OIDC provider to work with Jumpstarter
12173 . Create users with appropriate OIDC usernames
1318
@@ -22,22 +27,21 @@ Set up Keycloak for Jumpstarter authentication:
2227 - ` Valid redirect URIs ` : ` http://localhost/callback `
2328 - Leave remaining fields as default
2429
25- 2 . Use this configuration for
26- ` jumpstarter-controller.authenticationConfiguration ` during installation:
30+ 2 . Configure ` spec.authentication.jwt ` on your ` Jumpstarter ` resource:
2731
2832``` yaml
29- apiVersion : jumpstarter.dev/v1alpha1
30- kind : AuthenticationConfiguration
31- jwt :
32- - issuer :
33- url : https://<keycloak domain>/realms/<realm name>
34- certificateAuthority : <PEM encoded CA certificates>
35- audiences :
36- - jumpstarter-cli
37- claimMappings :
38- username :
39- claim : preferred_username
40- prefix : " keycloak:"
33+ spec :
34+ authentication :
35+ jwt :
36+ - issuer :
37+ url : https://<keycloak domain>/realms/<realm name>
38+ certificateAuthority : <PEM encoded CA certificates>
39+ audiences :
40+ - jumpstarter-cli
41+ claimMappings :
42+ username :
43+ claim : preferred_username
44+ prefix : " keycloak:"
4145` ` `
4246
4347Note, the HTTPS URL is mandatory, and you only need to include
@@ -107,7 +111,7 @@ $ kubectl -n dex create secret tls dex-tls \
107111 --key=pki/private/dex.dex.svc.cluster.local.key
108112` ` `
109113
110- 2. Install Dex with Helm using the following `values.yaml` :
114+ 2. Install Dex using your preferred deployment method with the following equivalent configuration :
111115
112116` ` ` yaml
113117https:
@@ -161,31 +165,25 @@ $ kubectl create clusterrolebinding oidc-reviewer \
161165 --group=system:unauthenticated
162166` ` `
163167
164- Then install Dex :
165-
166- ` ` ` console
167- $ helm repo add dex https://charts.dexidp.io
168- $ helm install --namespace dex --wait -f values.yaml dex dex/dex
169- ` ` `
168+ Then deploy Dex in the `dex` namespace with this configuration applied.
170169
171- 3. Configure Jumpstarter to trust Dex. Use this configuration for
172- `jumpstarter-controller.authenticationConfiguration` during installation :
170+ 3. Configure Jumpstarter to trust Dex by setting `spec.authentication.jwt` :
173171
174172` ` ` yaml
175- apiVersion: jumpstarter.dev/v1alpha1
176- kind: AuthenticationConfiguration
177- jwt:
178- - issuer:
179- url: https://dex.dex.svc.cluster.local:5556
180- audiences:
181- - jumpstarter-cli
182- audienceMatchPolicy: MatchAny
183- certificateAuthority: |
184- <content of pki/ca.crt>
185- claimMappings:
186- username:
187- claim: "name"
188- prefix: "dex:"
173+ spec:
174+ authentication:
175+ jwt:
176+ - issuer:
177+ url: https://dex.dex.svc.cluster.local:5556
178+ audiences:
179+ - jumpstarter-cli
180+ audienceMatchPolicy: MatchAny
181+ certificateAuthority: |
182+ <content of pki/ca.crt>
183+ claimMappings:
184+ username:
185+ claim: "name"
186+ prefix: "dex:"
189187` ` `
190188
1911894. Create clients and exporters with appropriate OIDC usernames. Prefix the full
@@ -225,9 +223,8 @@ $ jmp login --exporter <exporter alias> \
225223
226224# # Reference
227225
228- The reference section provides a complete example of an
229- ` AuthenticationConfiguration` resource with detailed comments. Use this as a
230- template for creating your own configuration.
226+ The reference section provides a complete example of `spec.authentication.jwt`
227+ with detailed comments. Use this as a template for your `Jumpstarter` resource.
231228
232229Key components include :
233230
@@ -237,62 +234,62 @@ Key components include:
237234- User validation rules
238235
239236` ` ` yaml
240- apiVersion: jumpstarter.dev/v1alpha1
241- kind: AuthenticationConfiguration
242- # JWT authenticators for OIDC-issued tokens
243- jwt:
244- - issuer:
245- # URL of the OIDC provider (must use https://)
246- url: https://example.com
247- # Optional: override URL for discovery information
248- discoveryURL: https://discovery.example.com/.well-known/openid-configuration
249- # Optional: PEM encoded CA certificates for validation
250- certificateAuthority: <PEM encoded CA certificates>
251- # List of acceptable token audiences
252- audiences:
253- - my-app
254- - my-other-app
255- # Required when multiple audiences are specified
256- audienceMatchPolicy: MatchAny
257- # rules applied to validate token claims to authenticate users.
258- claimValidationRules:
259- # Validate specific claim values
260- - claim: hd
261- requiredValue: example.com
262- # Alternative: use CEL expressions for complex validation
263- - expression: 'claims.hd == "example.com"'
264- message: the hd claim must be set to example.com
265- - expression: 'claims.exp - claims.nbf <= 86400'
266- message: total token lifetime must not exceed 24 hours
267- # Map OIDC claims to Jumpstarter user properties
268- claimMappings:
269- # Required: configure username mapping
270- username:
271- # JWT claim to use as username
272- claim: "sub"
273- # Prefix for username (required when claim is set)
274- prefix: ""
275- # Alternative: use CEL expression (mutually exclusive with claim+prefix)
276- # expression: 'claims.username + ":external-user"'
277- # Optional: configure groups mapping
278- groups:
279- claim: "sub"
280- prefix: ""
281- # Alternative: use CEL expression
282- # expression: 'claims.roles.split(",")'
283- # Optional: configure UID mapping
284- uid:
285- claim: 'sub'
286- # Alternative: use CEL expression
287- # expression: 'claims.sub'
288- # Optional: add extra attributes to UserInfo
289- extra:
290- - key: 'example.com/tenant'
291- valueExpression: 'claims.tenant'
292- # validation rules applied to the final user object.
293- userValidationRules:
294- - expression: "!user.username.startsWith('system:')"
295- message: 'username cannot used reserved system: prefix'
296- - expression: "user.groups.all(group, !group.startsWith('system:'))"
297- message: 'groups cannot used reserved system: prefix'
237+ spec:
238+ authentication:
239+ # JWT authenticators for OIDC-issued tokens
240+ jwt:
241+ - issuer:
242+ # URL of the OIDC provider (must use https://)
243+ url: https://example.com
244+ # Optional: override URL for discovery information
245+ discoveryURL: https://discovery.example.com/.well-known/openid-configuration
246+ # Optional: PEM encoded CA certificates for validation
247+ certificateAuthority: <PEM encoded CA certificates>
248+ # List of acceptable token audiences
249+ audiences:
250+ - my-app
251+ - my-other-app
252+ # Required when multiple audiences are specified
253+ audienceMatchPolicy: MatchAny
254+ # rules applied to validate token claims to authenticate users.
255+ claimValidationRules:
256+ # Validate specific claim values
257+ - claim: hd
258+ requiredValue: example.com
259+ # Alternative: use CEL expressions for complex validation
260+ - expression: 'claims.hd == "example.com"'
261+ message: the hd claim must be set to example.com
262+ - expression: 'claims.exp - claims.nbf <= 86400'
263+ message: total token lifetime must not exceed 24 hours
264+ # Map OIDC claims to Jumpstarter user properties
265+ claimMappings:
266+ # Required: configure username mapping
267+ username:
268+ # JWT claim to use as username
269+ claim: "sub"
270+ # Prefix for username (required when claim is set)
271+ prefix: ""
272+ # Alternative: use CEL expression (mutually exclusive with claim+prefix)
273+ # expression: 'claims.username + ":external-user"'
274+ # Optional: configure groups mapping
275+ groups:
276+ claim: "sub"
277+ prefix: ""
278+ # Alternative: use CEL expression
279+ # expression: 'claims.roles.split(",")'
280+ # Optional: configure UID mapping
281+ uid:
282+ claim: 'sub'
283+ # Alternative: use CEL expression
284+ # expression: 'claims.sub'
285+ # Optional: add extra attributes to UserInfo
286+ extra:
287+ - key: 'example.com/tenant'
288+ valueExpression: 'claims.tenant'
289+ # validation rules applied to the final user object.
290+ userValidationRules:
291+ - expression: "!user.username.startsWith('system:')"
292+ message: 'username cannot used reserved system: prefix'
293+ - expression: "user.groups.all(group, !group.startsWith('system:'))"
294+ message: 'groups cannot used reserved system: prefix'
298295` ` `
0 commit comments