openshift
diff --git a/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml‎
Lines changed: 164 additions & 136 deletions b/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml‎
Lines changed: 164 additions & 136 deletions
diff --git a/‎config/v1/types_authentication.go‎
Lines changed: 15 additions & 7 deletions b/‎config/v1/types_authentication.go‎
Lines changed: 15 additions & 7 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml‎
Lines changed: 23 additions & 9 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml‎
Lines changed: 23 additions & 9 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml‎
Lines changed: 28 additions & 9 deletions
@@ -249,7 +249,6 @@ type OIDCProvider struct {
 	// These rules determine whether a token subject is considered valid based on its claims.
 	// Each rule is evaluated independently.
 	// See the TokenUserValidationRule type for more information on rule structure.
-
 	// +listType=atomic
 	// +kubebuilder:validation:MaxItems=64
 	// +optional
@@ -785,19 +784,28 @@ const (
 // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithNewAuthConfigFields,rule="has(self.type) && self.type == 'Expression' ? has(self.expressionRule) : !has(self.expressionRule)",message="expressionRule must be set when type is 'Expression', and forbidden otherwise"
 
+// TokenClaimValidationRule represents a validation rule based on token claims.
+// If type is RequiredClaim, requiredClaim must be set.
+// If type is Expression, expressionRule must be set.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithNewAuthConfigFields,rule="has(self.type) && self.type == 'Expression' ? has(self.expressionRule) : !has(self.expressionRule)",message="expressionRule must be set when type is 'Expression', and forbidden otherwise"
 type TokenClaimValidationRule struct {
 	// type is an optional field that configures the type of the validation rule.
 	//
-	// Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+	// Allowed values are "RequiredClaim" and "Expression".
+	//
+	// When set to 'RequiredClaim', the Kubernetes API server will be configured
+	// to validate that the incoming JWT contains the required claim and that its
+	// value matches the required value.
 	//
-	// When set to 'RequiredClaim', the Kubernetes API server
-	// will be configured to validate that the incoming JWT
-	// contains the required claim and that its value matches
-	// the required value.
+	// When set to 'Expression', the Kubernetes API server will be configured
+	// to validate the incoming JWT against the configured CEL expression.
 	//
-	// Defaults to 'RequiredClaim'.
+	// Defaults to "RequiredClaim".
 	//
 	// +kubebuilder:default="RequiredClaim"
+	// +kubebuilder:validation:Enum=RequiredClaim;Expression
 	Type TokenValidationRuleType `json:"type"`
 
 	// requiredClaim allows configuring a required claim name and its expected value.
 
@@ -347,6 +347,10 @@ spec:
 
                         Validation rules are joined via an AND operation.
                       items:
+                        description: |-
+                          TokenClaimValidationRule represents a validation rule based on token claims.
+                          If type is RequiredClaim, requiredClaim must be set.
+                          If type is Expression, expressionRule must be set.
                         properties:
                           expressionRule:
                             description: |-
@@ -397,28 +401,38 @@ spec:
                             - requiredValue
                             type: object
                           type:
+                            allOf:
+                            - enum:
+                              - RequiredClaim
+                              - Expression
+                            - enum:
+                              - RequiredClaim
+                              - Expression
                             default: RequiredClaim
                             description: |-
                               type is an optional field that configures the type of the validation rule.
 
-                              Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+                              Allowed values are "RequiredClaim" and "Expression".
 
-                              When set to 'RequiredClaim', the Kubernetes API server
-                              will be configured to validate that the incoming JWT
-                              contains the required claim and that its value matches
-                              the required value.
+                              When set to 'RequiredClaim', the Kubernetes API server will be configured
+                              to validate that the incoming JWT contains the required claim and that its
+                              value matches the required value.
 
-                              Defaults to 'RequiredClaim'.
-                            enum:
-                            - RequiredClaim
-                            - Expression
+                              When set to 'Expression', the Kubernetes API server will be configured
+                              to validate the incoming JWT against the configured CEL expression.
+
+                              Defaults to "RequiredClaim".
                             type: string
                         type: object
                         x-kubernetes-validations:
                         - message: requiredClaim must be set when type is 'RequiredClaim',
                             and forbidden otherwise
                           rule: 'has(self.type) && self.type == ''RequiredClaim''
                             ? has(self.requiredClaim) : !has(self.requiredClaim)'
+                        - message: requiredClaim must be set when type is 'RequiredClaim',
+                            and forbidden otherwise
+                          rule: 'has(self.type) && self.type == ''RequiredClaim''
+                            ? has(self.requiredClaim) : !has(self.requiredClaim)'
                       type: array
                       x-kubernetes-list-type: atomic
                     issuer:
@@ -627,6 +641,11 @@ spec:
                       - componentName
                       x-kubernetes-list-type: map
                     userValidationRules:
+                      description: |-
+                        userValidationRules defines the set of rules used to validate claims in a user’s token.
+                        These rules determine whether a token subject is considered valid based on its claims.
+                        Each rule is evaluated independently.
+                        See the TokenUserValidationRule type for more information on rule structure.
                       items:
                         description: |-
                           TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
 
@@ -196,6 +196,10 @@ spec:
 
                         Validation rules are joined via an AND operation.
                       items:
+                        description: |-
+                          TokenClaimValidationRule represents a validation rule based on token claims.
+                          If type is RequiredClaim, requiredClaim must be set.
+                          If type is Expression, expressionRule must be set.
                         properties:
                           expressionRule:
                             description: |-
@@ -227,28 +231,38 @@ spec:
                             - requiredValue
                             type: object
                           type:
+                            allOf:
+                            - enum:
+                              - RequiredClaim
+                              - Expression
+                            - enum:
+                              - RequiredClaim
+                              - Expression
                             default: RequiredClaim
                             description: |-
                               type is an optional field that configures the type of the validation rule.
 
-                              Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+                              Allowed values are "RequiredClaim" and "Expression".
 
-                              When set to 'RequiredClaim', the Kubernetes API server
-                              will be configured to validate that the incoming JWT
-                              contains the required claim and that its value matches
-                              the required value.
+                              When set to 'RequiredClaim', the Kubernetes API server will be configured
+                              to validate that the incoming JWT contains the required claim and that its
+                              value matches the required value.
 
-                              Defaults to 'RequiredClaim'.
-                            enum:
-                            - RequiredClaim
-                            - Expression
+                              When set to 'Expression', the Kubernetes API server will be configured
+                              to validate the incoming JWT against the configured CEL expression.
+
+                              Defaults to "RequiredClaim".
                             type: string
                         type: object
                         x-kubernetes-validations:
                         - message: requiredClaim must be set when type is 'RequiredClaim',
                             and forbidden otherwise
                           rule: 'has(self.type) && self.type == ''RequiredClaim''
                             ? has(self.requiredClaim) : !has(self.requiredClaim)'
+                        - message: requiredClaim must be set when type is 'RequiredClaim',
+                            and forbidden otherwise
+                          rule: 'has(self.type) && self.type == ''RequiredClaim''
+                            ? has(self.requiredClaim) : !has(self.requiredClaim)'
                       type: array
                       x-kubernetes-list-type: atomic
                     issuer:
 
@@ -347,6 +347,10 @@ spec:
 
                         Validation rules are joined via an AND operation.
                       items:
+                        description: |-
+                          TokenClaimValidationRule represents a validation rule based on token claims.
+                          If type is RequiredClaim, requiredClaim must be set.
+                          If type is Expression, expressionRule must be set.
                         properties:
                           expressionRule:
                             description: |-
@@ -397,28 +401,38 @@ spec:
                             - requiredValue
                             type: object
                           type:
+                            allOf:
+                            - enum:
+                              - RequiredClaim
+                              - Expression
+                            - enum:
+                              - RequiredClaim
+                              - Expression
                             default: RequiredClaim
                             description: |-
                               type is an optional field that configures the type of the validation rule.
 
-                              Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+                              Allowed values are "RequiredClaim" and "Expression".
 
-                              When set to 'RequiredClaim', the Kubernetes API server
-                              will be configured to validate that the incoming JWT
-                              contains the required claim and that its value matches
-                              the required value.
+                              When set to 'RequiredClaim', the Kubernetes API server will be configured
+                              to validate that the incoming JWT contains the required claim and that its
+                              value matches the required value.
 
-                              Defaults to 'RequiredClaim'.
-                            enum:
-                            - RequiredClaim
-                            - Expression
+                              When set to 'Expression', the Kubernetes API server will be configured
+                              to validate the incoming JWT against the configured CEL expression.
+
+                              Defaults to "RequiredClaim".
                             type: string
                         type: object
                         x-kubernetes-validations:
                         - message: requiredClaim must be set when type is 'RequiredClaim',
                             and forbidden otherwise
                           rule: 'has(self.type) && self.type == ''RequiredClaim''
                             ? has(self.requiredClaim) : !has(self.requiredClaim)'
+                        - message: requiredClaim must be set when type is 'RequiredClaim',
+                            and forbidden otherwise
+                          rule: 'has(self.type) && self.type == ''RequiredClaim''
+                            ? has(self.requiredClaim) : !has(self.requiredClaim)'
                       type: array
                       x-kubernetes-list-type: atomic
                     issuer:
@@ -627,6 +641,11 @@ spec:
                       - componentName
                       x-kubernetes-list-type: map
                     userValidationRules:
+                      description: |-
+                        userValidationRules defines the set of rules used to validate claims in a user’s token.
+                        These rules determine whether a token subject is considered valid based on its claims.
+                        Each rule is evaluated independently.
+                        See the TokenUserValidationRule type for more information on rule structure.
                       items:
                         description: |-
                           TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
 
@@ -347,6 +347,10 @@ spec:
 
                         Validation rules are joined via an AND operation.
                       items:
+                        description: |-
+                          TokenClaimValidationRule represents a validation rule based on token claims.
+                          If type is RequiredClaim, requiredClaim must be set.
+                          If type is Expression, expressionRule must be set.
                         properties:
                           expressionRule:
                             description: |-
@@ -397,28 +401,38 @@ spec:
                             - requiredValue
                             type: object
                           type:
+                            allOf:
+                            - enum:
+                              - RequiredClaim
+                              - Expression
+                            - enum:
+                              - RequiredClaim
+                              - Expression
                             default: RequiredClaim
                             description: |-
                               type is an optional field that configures the type of the validation rule.
 
-                              Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
+                              Allowed values are "RequiredClaim" and "Expression".
 
-                              When set to 'RequiredClaim', the Kubernetes API server
-                              will be configured to validate that the incoming JWT
-                              contains the required claim and that its value matches
-                              the required value.
+                              When set to 'RequiredClaim', the Kubernetes API server will be configured
+                              to validate that the incoming JWT contains the required claim and that its
+                              value matches the required value.
 
-                              Defaults to 'RequiredClaim'.
-                            enum:
-                            - RequiredClaim
-                            - Expression
+                              When set to 'Expression', the Kubernetes API server will be configured
+                              to validate the incoming JWT against the configured CEL expression.
+
+                              Defaults to "RequiredClaim".
                             type: string
                         type: object
                         x-kubernetes-validations:
                         - message: requiredClaim must be set when type is 'RequiredClaim',
                             and forbidden otherwise
                           rule: 'has(self.type) && self.type == ''RequiredClaim''
                             ? has(self.requiredClaim) : !has(self.requiredClaim)'
+                        - message: requiredClaim must be set when type is 'RequiredClaim',
+                            and forbidden otherwise
+                          rule: 'has(self.type) && self.type == ''RequiredClaim''
+                            ? has(self.requiredClaim) : !has(self.requiredClaim)'
                       type: array
                       x-kubernetes-list-type: atomic
                     issuer:
@@ -627,6 +641,11 @@ spec:
                       - componentName
                       x-kubernetes-list-type: map
                     userValidationRules:
+                      description: |-
+                        userValidationRules defines the set of rules used to validate claims in a user’s token.
+                        These rules determine whether a token subject is considered valid based on its claims.
+                        Each rule is evaluated independently.
+                        See the TokenUserValidationRule type for more information on rule structure.
                       items:
                         description: |-
                           TokenUserValidationRule provides a CEL-based rule used to validate a token subject.