Skip to content

[OIDC] Fix CRD field descriptions #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 9, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 4 additions & 7 deletions api/v1/mdb/mongodb_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -1061,20 +1061,18 @@ type Ldap struct {
}

type OIDCProviderConfig struct {
// Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
// creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
// Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
// - alphanumeric characters (combination of a to z and 0 to 9)
// - hyphens (-)
// - underscores (_)
// +kubebuilder:validation:Pattern="^[a-zA-Z0-9-_]+$"
// +kubebuilder:validation:Required
ConfigurationName string `json:"configurationName"`

// Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
// Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
// Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
// For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
// For other MongoDB versions, the issuerURI itself must be unique.

// +kubebuilder:validation:Required
IssuerURI string `json:"issuerURI"`

Expand All @@ -1095,13 +1093,12 @@ type OIDCProviderConfig struct {
UserClaim string `json:"userClaim"`

// The identifier of the claim that includes the principal's IdP user group membership information.
// Accept the default value unless your IdP uses a different claim, or you need a custom claim.
// Required when selected GroupMembership as the authorization type, ignored otherwise
// +kubebuilder:validation:Optional
GroupsClaim *string `json:"groupsClaim"`

// Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
// For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
// Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
// For programmatic, application access to deployments use Workload Identity Federation.
// Only one Workforce Identity Federation IdP can be configured per MongoDB resource
// +kubebuilder:validation:Required
AuthorizationMethod OIDCAuthorizationMethod `json:"authorizationMethod"`
Expand Down
10 changes: 4 additions & 6 deletions config/crd/bases/mongodb.com_mongodb.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1535,8 +1535,8 @@ spec:
type: string
authorizationMethod:
description: |-
Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
For programmatic, application access to deployments use Workload Identity Federation.
Only one Workforce Identity Federation IdP can be configured per MongoDB resource
enum:
- WorkforceIdentityFederation
Expand All @@ -1558,8 +1558,7 @@ spec:
type: string
configurationName:
description: |-
Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
- alphanumeric characters (combination of a to z and 0 to 9)
- hyphens (-)
- underscores (_)
Expand All @@ -1568,12 +1567,11 @@ spec:
groupsClaim:
description: |-
The identifier of the claim that includes the principal's IdP user group membership information.
Accept the default value unless your IdP uses a different claim, or you need a custom claim.
Required when selected GroupMembership as the authorization type, ignored otherwise
type: string
issuerURI:
description: |-
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
For other MongoDB versions, the issuerURI itself must be unique.
Expand Down
10 changes: 4 additions & 6 deletions config/crd/bases/mongodb.com_mongodbmulticluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -795,8 +795,8 @@ spec:
type: string
authorizationMethod:
description: |-
Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
For programmatic, application access to deployments use Workload Identity Federation.
Only one Workforce Identity Federation IdP can be configured per MongoDB resource
enum:
- WorkforceIdentityFederation
Expand All @@ -818,8 +818,7 @@ spec:
type: string
configurationName:
description: |-
Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
- alphanumeric characters (combination of a to z and 0 to 9)
- hyphens (-)
- underscores (_)
Expand All @@ -828,12 +827,11 @@ spec:
groupsClaim:
description: |-
The identifier of the claim that includes the principal's IdP user group membership information.
Accept the default value unless your IdP uses a different claim, or you need a custom claim.
Required when selected GroupMembership as the authorization type, ignored otherwise
type: string
issuerURI:
description: |-
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
For other MongoDB versions, the issuerURI itself must be unique.
Expand Down
12 changes: 6 additions & 6 deletions config/crd/bases/mongodb.com_opsmanagers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -857,8 +857,8 @@ spec:
type: string
authorizationMethod:
description: |-
Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
For programmatic, application access to deployments use Workload Identity Federation.
Only one Workforce Identity Federation IdP can be configured per MongoDB resource
enum:
- WorkforceIdentityFederation
Expand All @@ -880,8 +880,7 @@ spec:
type: string
configurationName:
description: |-
Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
- alphanumeric characters (combination of a to z and 0 to 9)
- hyphens (-)
- underscores (_)
Expand All @@ -890,13 +889,14 @@ spec:
groupsClaim:
description: |-
The identifier of the claim that includes the principal's IdP user group membership information.
Accept the default value unless your IdP uses a different claim, or you need a custom claim.
Required when selected GroupMembership as the authorization type, ignored otherwise
type: string
issuerURI:
description: |-
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
For other MongoDB versions, the issuerURI itself must be unique.
type: string
requestedScopes:
description: |-
Expand Down
10 changes: 4 additions & 6 deletions helm_chart/crds/mongodb.com_mongodb.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1535,8 +1535,8 @@ spec:
type: string
authorizationMethod:
description: |-
Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
For programmatic, application access to deployments use Workload Identity Federation.
Only one Workforce Identity Federation IdP can be configured per MongoDB resource
enum:
- WorkforceIdentityFederation
Expand All @@ -1558,8 +1558,7 @@ spec:
type: string
configurationName:
description: |-
Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
- alphanumeric characters (combination of a to z and 0 to 9)
- hyphens (-)
- underscores (_)
Expand All @@ -1568,12 +1567,11 @@ spec:
groupsClaim:
description: |-
The identifier of the claim that includes the principal's IdP user group membership information.
Accept the default value unless your IdP uses a different claim, or you need a custom claim.
Required when selected GroupMembership as the authorization type, ignored otherwise
type: string
issuerURI:
description: |-
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
For other MongoDB versions, the issuerURI itself must be unique.
Expand Down
10 changes: 4 additions & 6 deletions helm_chart/crds/mongodb.com_mongodbmulticluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -795,8 +795,8 @@ spec:
type: string
authorizationMethod:
description: |-
Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
Configure single-sign-on for human user access to deployments with Workforce Identity Federation.
For programmatic, application access to deployments use Workload Identity Federation.
Only one Workforce Identity Federation IdP can be configured per MongoDB resource
enum:
- WorkforceIdentityFederation
Expand All @@ -818,8 +818,7 @@ spec:
type: string
configurationName:
description: |-
Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when
creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
Unique label that identifies this configuration. It is case-sensitive and can only contain the following characters:
- alphanumeric characters (combination of a to z and 0 to 9)
- hyphens (-)
- underscores (_)
Expand All @@ -828,12 +827,11 @@ spec:
groupsClaim:
description: |-
The identifier of the claim that includes the principal's IdP user group membership information.
Accept the default value unless your IdP uses a different claim, or you need a custom claim.
Required when selected GroupMembership as the authorization type, ignored otherwise
type: string
issuerURI:
description: |-
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Connect Provider
Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
For MongoDB 7.0, 7.3, and 8.0+, the combination of issuerURI and audience must be unique across OIDC provider configurations.
For other MongoDB versions, the issuerURI itself must be unique.
Expand Down
Loading