Parameters

The parent key for all of the following parameters is openshift4_authentication.

`namespace`

type	string
default	`openshift-config`

The namespace in which to create manifests.

The component may not work correctly if this parameter is changed.

`sudoGroupName`

type	string
default	`null`

The OpenShift group name for which the component configures RBAC to allow members to impersonate users, groups, and service accounts, including the cluster administrator. See Cluster Admin Sudo and Impersonating Users for more details.

This parameter is deprecated and will be removed in a future release. Use sudoGroups instead.

`sudoGroups`

type	list
default	`[]`

The OpenShift group names for which the component configures RBAC to allow members to impersonate users, groups, and service accounts, including the cluster administrator. See Cluster Admin Sudo and Impersonating Users for more details.

Groups can be removed from the hierarchy by prefixing them with a ~ character.

Example

sudoGroups:
- ~sudoers
- admins

`adminUserName`

type	string
default	`cluster-admin`

The username used for cluster administrator impersonation.

`identityProviders`

type	dict
default	`{}`

This key allows users to configure arbitrary OpenShift identity providers. Please see the upstream documentation for supported configurations.

The component processes the contents of the dict into a list of identityProvider entries for the OpenShift 4 OAuth object. The dict keys are only present to allow users to modify existing entries in the hierarchy. They don’t appear in the generated manifests.

The component doesn’t validate the provided configurations.

Currently, the component only supports configuring a custom CA certificate for LDAP identity providers.

The component accepts custom CA certificate bundles for LDAP providers in key ca of an LDAP identity provider config. If a CA certificate bundle is provided like that, the component will generate a ConfigMap containing the CA certificate bundle, and will update the identity provider config to reference that ConfigMap.

Users should use the component’s secret configuration mechanism to deploy secrets containing identity provider credentials.

There are different black-/whitelist parameters for the sync and the prune jobs, as they require different parameters.

identityProviders:
  custom-ldap:
    ldap:
      sync:
        whitelist_sync: |-
          CN=cluster-access,OU=Groups,DC=myldap,DC=local
        whitelist_prune: |-
          cluster-access

`templates`

type	dict
default	`err: '' login: '' providerSelection: ''`

This parameter allows users to configure templates for the OpenShift authentication error, login, and provider selection pages. The component expects keys err, login and providerSelection in this parameter. The contents of those keys are used verbatim as the corresponding templates.

If any templates are configured, the component will create a single Secret called oauth-templates. The component writes each configured template to the secret in the keys documented in the upstream documentation on customizing the login page.

We use key err instead of error because error is a keyword in Jsonnet.

`token`

type	dict
default	`timeoutSeconds: ~ maxAgeSeconds: ~`

This parameter allows users to customize the OAuth access token expiration.

Key timeoutSeconds can be set to configure the desired value for the token’s inactivity timeout. See the upstream documentation on configuring token inactivity timeout for the internal OAuth server for more details.

Key maxAgeSeconds can be set to configure the desired value for the token’s maximum life time. See the upstream documentation on configuring the internal OAuth server’s token duration for more details.

`ldapSync`

type	string
default	`schedule: '%d * * * *'`

This parameter allows configuring the LDAP sync CronJob schedule. The schedule defined here will be applied for LDAP identity providers which don’t configure their own custom schedule.

The component will apply the logic documented in the Project Syn Jsonnet best practices on randomizing cron schedules to avoid generating load spikes on an LDAP server.

The component may break if you specify a schedule which doesn’t contain exactly one %d format specifier.

`secrets`

type	dict
default	`{}`

This parameter allows users to configure arbitrary secrets. The contents of the parameter are transformed into Secret resources.

See the how-to on configuring secrets for more details.

`groupMemberships`

type	dict
default	`{}`

This parameter allows users to configure arbitrary OpenShift groups and group memberships.

See the how-to on managing group memberships for more details.