|  |  |  | @@ -37,6 +37,7 @@ import ( | 
		
	
		
			
				|  |  |  |  | 	cliflag "k8s.io/component-base/cli/flag" | 
		
	
		
			
				|  |  |  |  | 	"k8s.io/klog/v2" | 
		
	
		
			
				|  |  |  |  | 	openapicommon "k8s.io/kube-openapi/pkg/common" | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" | 
		
	
		
			
				|  |  |  |  | 	"k8s.io/kubernetes/pkg/features" | 
		
	
		
			
				|  |  |  |  | 	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" | 
		
	
	
		
			
				
					
					|  |  |  | @@ -44,6 +45,7 @@ import ( | 
		
	
		
			
				|  |  |  |  | 	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap" | 
		
	
		
			
				|  |  |  |  | ) | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // BuiltInAuthenticationOptions contains all build-in authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type BuiltInAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	APIAudiences    []string | 
		
	
		
			
				|  |  |  |  | 	Anonymous       *AnonymousAuthenticationOptions | 
		
	
	
		
			
				
					
					|  |  |  | @@ -59,14 +61,17 @@ type BuiltInAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	TokenFailureCacheTTL time.Duration | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // AnonymousAuthenticationOptions contains anonymous authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type AnonymousAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	Allow bool | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type BootstrapTokenAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	Enable bool | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // OIDCAuthenticationOptions contains OIDC authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type OIDCAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	CAFile         string | 
		
	
		
			
				|  |  |  |  | 	ClientID       string | 
		
	
	
		
			
				
					
					|  |  |  | @@ -79,6 +84,7 @@ type OIDCAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	RequiredClaims map[string]string | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // ServiceAccountAuthenticationOptions contains service account authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type ServiceAccountAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	KeyFiles         []string | 
		
	
		
			
				|  |  |  |  | 	Lookup           bool | 
		
	
	
		
			
				
					
					|  |  |  | @@ -88,16 +94,19 @@ type ServiceAccountAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	ExtendExpiration bool | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // TokenFileAuthenticationOptions contains token file authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type TokenFileAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	TokenFile string | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // WebHookAuthenticationOptions contains web hook authentication options for API Server | 
		
	
		
			
				|  |  |  |  | type WebHookAuthenticationOptions struct { | 
		
	
		
			
				|  |  |  |  | 	ConfigFile string | 
		
	
		
			
				|  |  |  |  | 	Version    string | 
		
	
		
			
				|  |  |  |  | 	CacheTTL   time.Duration | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL | 
		
	
		
			
				|  |  |  |  | func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	return &BuiltInAuthenticationOptions{ | 
		
	
		
			
				|  |  |  |  | 		TokenSuccessCacheTTL: 10 * time.Second, | 
		
	
	
		
			
				
					
					|  |  |  | @@ -105,8 +114,9 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	return s. | 
		
	
		
			
				|  |  |  |  | // WithAll set default value for every build-in authentication option | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	return o. | 
		
	
		
			
				|  |  |  |  | 		WithAnonymous(). | 
		
	
		
			
				|  |  |  |  | 		WithBootstrapToken(). | 
		
	
		
			
				|  |  |  |  | 		WithClientCert(). | 
		
	
	
		
			
				
					
					|  |  |  | @@ -117,87 +127,95 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 		WithWebHook() | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.Anonymous = &AnonymousAuthenticationOptions{Allow: true} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithAnonymous set default value for anonymous authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.Anonymous = &AnonymousAuthenticationOptions{Allow: true} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.BootstrapToken = &BootstrapTokenAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithBootstrapToken set default value for bootstrap token authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.BootstrapToken = &BootstrapTokenAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithClientCert set default value for client cert | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.OIDC = &OIDCAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithOIDC set default value for OIDC authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.OIDC = &OIDCAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithRequestHeader set default value for request header authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithServiceAccounts set default value for service account authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.TokenFile = &TokenFileAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | // WithTokenFile set default value for token file authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.TokenFile = &TokenFileAuthenticationOptions{} | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	s.WebHook = &WebHookAuthenticationOptions{ | 
		
	
		
			
				|  |  |  |  | // WithWebHook set default value for web hook authentication | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions { | 
		
	
		
			
				|  |  |  |  | 	o.WebHook = &WebHookAuthenticationOptions{ | 
		
	
		
			
				|  |  |  |  | 		Version:  "v1beta1", | 
		
	
		
			
				|  |  |  |  | 		CacheTTL: 2 * time.Minute, | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  | 	return s | 
		
	
		
			
				|  |  |  |  | 	return o | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | // Validate checks invalid config combination | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) Validate() []error { | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) Validate() []error { | 
		
	
		
			
				|  |  |  |  | 	allErrors := []error{} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.OIDC != nil && (len(s.OIDC.IssuerURL) > 0) != (len(s.OIDC.ClientID) > 0) { | 
		
	
		
			
				|  |  |  |  | 	if o.OIDC != nil && (len(o.OIDC.IssuerURL) > 0) != (len(o.OIDC.ClientID) > 0) { | 
		
	
		
			
				|  |  |  |  | 		allErrors = append(allErrors, fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together")) | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.ServiceAccounts != nil && len(s.ServiceAccounts.Issuer) > 0 && strings.Contains(s.ServiceAccounts.Issuer, ":") { | 
		
	
		
			
				|  |  |  |  | 		if _, err := url.Parse(s.ServiceAccounts.Issuer); err != nil { | 
		
	
		
			
				|  |  |  |  | 	if o.ServiceAccounts != nil && len(o.ServiceAccounts.Issuer) > 0 && strings.Contains(o.ServiceAccounts.Issuer, ":") { | 
		
	
		
			
				|  |  |  |  | 		if _, err := url.Parse(o.ServiceAccounts.Issuer); err != nil { | 
		
	
		
			
				|  |  |  |  | 			allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err)) | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  | 	if s.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { | 
		
	
		
			
				|  |  |  |  | 	if o.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { | 
		
	
		
			
				|  |  |  |  | 		if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) || !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) { | 
		
	
		
			
				|  |  |  |  | 			allErrors = append(allErrors, errors.New("if the BoundServiceAccountTokenVolume feature is enabled,"+ | 
		
	
		
			
				|  |  |  |  | 				" the TokenRequest and TokenRequestProjection features must also be enabled")) | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 		if len(s.ServiceAccounts.Issuer) == 0 { | 
		
	
		
			
				|  |  |  |  | 		if len(o.ServiceAccounts.Issuer) == 0 { | 
		
	
		
			
				|  |  |  |  | 			allErrors = append(allErrors, errors.New("service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled")) | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 		if len(s.ServiceAccounts.KeyFiles) == 0 { | 
		
	
		
			
				|  |  |  |  | 		if len(o.ServiceAccounts.KeyFiles) == 0 { | 
		
	
		
			
				|  |  |  |  | 			allErrors = append(allErrors, errors.New("service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled")) | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 	if o.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 		if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) { | 
		
	
		
			
				|  |  |  |  | 			// Validate the JWKS URI when it is explicitly set. | 
		
	
		
			
				|  |  |  |  | 			// When unset, it is later derived from ExternalHost. | 
		
	
		
			
				|  |  |  |  | 			if s.ServiceAccounts.JWKSURI != "" { | 
		
	
		
			
				|  |  |  |  | 				if u, err := url.Parse(s.ServiceAccounts.JWKSURI); err != nil { | 
		
	
		
			
				|  |  |  |  | 			if o.ServiceAccounts.JWKSURI != "" { | 
		
	
		
			
				|  |  |  |  | 				if u, err := url.Parse(o.ServiceAccounts.JWKSURI); err != nil { | 
		
	
		
			
				|  |  |  |  | 					allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri must be a valid URL: %v", err)) | 
		
	
		
			
				|  |  |  |  | 				} else if u.Scheme != "https" { | 
		
	
		
			
				|  |  |  |  | 					allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String())) | 
		
	
		
			
				|  |  |  |  | 				} | 
		
	
		
			
				|  |  |  |  | 			} | 
		
	
		
			
				|  |  |  |  | 		} else if len(s.ServiceAccounts.JWKSURI) > 0 { | 
		
	
		
			
				|  |  |  |  | 		} else if len(o.ServiceAccounts.JWKSURI) > 0 { | 
		
	
		
			
				|  |  |  |  | 			allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri may only be set when the ServiceAccountIssuerDiscovery feature gate is enabled")) | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
	
		
			
				
					
					|  |  |  | @@ -205,88 +223,89 @@ func (s *BuiltInAuthenticationOptions) Validate() []error { | 
		
	
		
			
				|  |  |  |  | 	return allErrors | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | 
		
	
		
			
				|  |  |  |  | 	fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+ | 
		
	
		
			
				|  |  |  |  | // AddFlags returns flags of authentication for a API Server | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | 
		
	
		
			
				|  |  |  |  | 	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+ | 
		
	
		
			
				|  |  |  |  | 		"Identifiers of the API. The service account token authenticator will validate that "+ | 
		
	
		
			
				|  |  |  |  | 		"tokens used against the API are bound to at least one of these audiences. If the "+ | 
		
	
		
			
				|  |  |  |  | 		"--service-account-issuer flag is configured and this flag is not, this field "+ | 
		
	
		
			
				|  |  |  |  | 		"defaults to a single element list containing the issuer URL.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.Anonymous != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.Anonymous != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&o.Anonymous.Allow, "anonymous-auth", o.Anonymous.Allow, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Enables anonymous requests to the secure port of the API server. "+ | 
		
	
		
			
				|  |  |  |  | 			"Requests that are not rejected by another authentication method are treated as anonymous requests. "+ | 
		
	
		
			
				|  |  |  |  | 			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.BootstrapToken != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&s.BootstrapToken.Enable, "enable-bootstrap-token-auth", s.BootstrapToken.Enable, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.BootstrapToken != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&o.BootstrapToken.Enable, "enable-bootstrap-token-auth", o.BootstrapToken.Enable, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+ | 
		
	
		
			
				|  |  |  |  | 			"namespace to be used for TLS bootstrapping authentication.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.ClientCert != nil { | 
		
	
		
			
				|  |  |  |  | 		s.ClientCert.AddFlags(fs) | 
		
	
		
			
				|  |  |  |  | 	if o.ClientCert != nil { | 
		
	
		
			
				|  |  |  |  | 		o.ClientCert.AddFlags(fs) | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.OIDC != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.IssuerURL, "oidc-issuer-url", s.OIDC.IssuerURL, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.OIDC != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.IssuerURL, "oidc-issuer-url", o.OIDC.IssuerURL, ""+ | 
		
	
		
			
				|  |  |  |  | 			"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+ | 
		
	
		
			
				|  |  |  |  | 			"If set, it will be used to verify the OIDC JSON Web Token (JWT).") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.ClientID, "oidc-client-id", s.OIDC.ClientID, | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.ClientID, "oidc-client-id", o.OIDC.ClientID, | 
		
	
		
			
				|  |  |  |  | 			"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.CAFile, "oidc-ca-file", s.OIDC.CAFile, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.CAFile, "oidc-ca-file", o.OIDC.CAFile, ""+ | 
		
	
		
			
				|  |  |  |  | 			"If set, the OpenID server's certificate will be verified by one of the authorities "+ | 
		
	
		
			
				|  |  |  |  | 			"in the oidc-ca-file, otherwise the host's root CA set will be used.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+ | 
		
	
		
			
				|  |  |  |  | 			"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+ | 
		
	
		
			
				|  |  |  |  | 			"is not guaranteed to be unique and immutable. This flag is experimental, please see "+ | 
		
	
		
			
				|  |  |  |  | 			"the authentication documentation for further details.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+ | 
		
	
		
			
				|  |  |  |  | 			"If provided, all usernames will be prefixed with this value. If not provided, "+ | 
		
	
		
			
				|  |  |  |  | 			"username claims other than 'email' are prefixed by the issuer URL to avoid "+ | 
		
	
		
			
				|  |  |  |  | 			"clashes. To skip any prefixing, provide the value '-'.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+ | 
		
	
		
			
				|  |  |  |  | 			"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+ | 
		
	
		
			
				|  |  |  |  | 			"The claim value is expected to be a string or array of strings. This flag is experimental, "+ | 
		
	
		
			
				|  |  |  |  | 			"please see the authentication documentation for further details.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+ | 
		
	
		
			
				|  |  |  |  | 			"If provided, all groups will be prefixed with this value to prevent conflicts with "+ | 
		
	
		
			
				|  |  |  |  | 			"other authentication strategies.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringSliceVar(&s.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringSliceVar(&o.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+ | 
		
	
		
			
				|  |  |  |  | 			"'alg' header value not in this list will be rejected. "+ | 
		
	
		
			
				|  |  |  |  | 			"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.Var(cliflag.NewMapStringStringNoSplit(&s.OIDC.RequiredClaims), "oidc-required-claim", ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.Var(cliflag.NewMapStringStringNoSplit(&o.OIDC.RequiredClaims), "oidc-required-claim", ""+ | 
		
	
		
			
				|  |  |  |  | 			"A key=value pair that describes a required claim in the ID Token. "+ | 
		
	
		
			
				|  |  |  |  | 			"If set, the claim is verified to be present in the ID Token with a matching value. "+ | 
		
	
		
			
				|  |  |  |  | 			"Repeat this flag to specify multiple claims.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.RequestHeader != nil { | 
		
	
		
			
				|  |  |  |  | 		s.RequestHeader.AddFlags(fs) | 
		
	
		
			
				|  |  |  |  | 	if o.RequestHeader != nil { | 
		
	
		
			
				|  |  |  |  | 		o.RequestHeader.AddFlags(fs) | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringArrayVar(&o.ServiceAccounts.KeyFiles, "service-account-key-file", o.ServiceAccounts.KeyFiles, ""+ | 
		
	
		
			
				|  |  |  |  | 			"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+ | 
		
	
		
			
				|  |  |  |  | 			"ServiceAccount tokens. The specified file can contain multiple keys, and the flag can "+ | 
		
	
		
			
				|  |  |  |  | 			"be specified multiple times with different files. If unspecified, "+ | 
		
	
		
			
				|  |  |  |  | 			"--tls-private-key-file is used. Must be specified when "+ | 
		
	
		
			
				|  |  |  |  | 			"--service-account-signing-key is provided") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup, | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&o.ServiceAccounts.Lookup, "service-account-lookup", o.ServiceAccounts.Lookup, | 
		
	
		
			
				|  |  |  |  | 			"If true, validate ServiceAccount tokens exist in etcd as part of authentication.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.ServiceAccounts.Issuer, "service-account-issuer", s.ServiceAccounts.Issuer, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.ServiceAccounts.Issuer, "service-account-issuer", o.ServiceAccounts.Issuer, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Identifier of the service account token issuer. The issuer will assert this identifier "+ | 
		
	
		
			
				|  |  |  |  | 			"in \"iss\" claim of issued tokens. This value is a string or URI. If this option is not "+ | 
		
	
		
			
				|  |  |  |  | 			"a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature "+ | 
		
	
	
		
			
				
					
					|  |  |  | @@ -296,7 +315,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | 
		
	
		
			
				|  |  |  |  | 			"recommended that this URL be capable of serving OpenID discovery documents at "+ | 
		
	
		
			
				|  |  |  |  | 			"`{service-account-issuer}/.well-known/openid-configuration`.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.ServiceAccounts.JWKSURI, "service-account-jwks-uri", s.ServiceAccounts.JWKSURI, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.ServiceAccounts.JWKSURI, "service-account-jwks-uri", o.ServiceAccounts.JWKSURI, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Overrides the URI for the JSON Web Key Set in the discovery doc served at "+ | 
		
	
		
			
				|  |  |  |  | 			"/.well-known/openid-configuration. This flag is useful if the discovery doc"+ | 
		
	
		
			
				|  |  |  |  | 			"and key set are served to relying parties from a URL other than the "+ | 
		
	
	
		
			
				
					
					|  |  |  | @@ -304,108 +323,109 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | 
		
	
		
			
				|  |  |  |  | 			"Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		// Deprecated in 1.13 | 
		
	
		
			
				|  |  |  |  | 		fs.StringSliceVar(&s.APIAudiences, "service-account-api-audiences", s.APIAudiences, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringSliceVar(&o.APIAudiences, "service-account-api-audiences", o.APIAudiences, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Identifiers of the API. The service account token authenticator will validate that "+ | 
		
	
		
			
				|  |  |  |  | 			"tokens used against the API are bound to at least one of these audiences.") | 
		
	
		
			
				|  |  |  |  | 		fs.MarkDeprecated("service-account-api-audiences", "Use --api-audiences") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.DurationVar(&o.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", o.ServiceAccounts.MaxExpiration, ""+ | 
		
	
		
			
				|  |  |  |  | 			"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+ | 
		
	
		
			
				|  |  |  |  | 			"TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&s.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", s.ServiceAccounts.ExtendExpiration, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.BoolVar(&o.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", o.ServiceAccounts.ExtendExpiration, ""+ | 
		
	
		
			
				|  |  |  |  | 			"Turns on projected service account expiration extension during token generation, "+ | 
		
	
		
			
				|  |  |  |  | 			"which helps safe transition from legacy token to bound service account token feature. "+ | 
		
	
		
			
				|  |  |  |  | 			"If this flag is enabled, admission injected tokens would be extended up to 1 year to "+ | 
		
	
		
			
				|  |  |  |  | 			"prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.TokenFile != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.TokenFile.TokenFile, "token-auth-file", s.TokenFile.TokenFile, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.TokenFile != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.TokenFile.TokenFile, "token-auth-file", o.TokenFile.TokenFile, ""+ | 
		
	
		
			
				|  |  |  |  | 			"If set, the file that will be used to secure the secure port of the API server "+ | 
		
	
		
			
				|  |  |  |  | 			"via token authentication.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.WebHook != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.WebHook.ConfigFile, "authentication-token-webhook-config-file", s.WebHook.ConfigFile, ""+ | 
		
	
		
			
				|  |  |  |  | 	if o.WebHook != nil { | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.WebHook.ConfigFile, "authentication-token-webhook-config-file", o.WebHook.ConfigFile, ""+ | 
		
	
		
			
				|  |  |  |  | 			"File with webhook configuration for token authentication in kubeconfig format. "+ | 
		
	
		
			
				|  |  |  |  | 			"The API server will query the remote service to determine authentication for bearer tokens.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&s.WebHook.Version, "authentication-token-webhook-version", s.WebHook.Version, ""+ | 
		
	
		
			
				|  |  |  |  | 		fs.StringVar(&o.WebHook.Version, "authentication-token-webhook-version", o.WebHook.Version, ""+ | 
		
	
		
			
				|  |  |  |  | 			"The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.") | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL, | 
		
	
		
			
				|  |  |  |  | 		fs.DurationVar(&o.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", o.WebHook.CacheTTL, | 
		
	
		
			
				|  |  |  |  | 			"The duration to cache responses from the webhook token authenticator.") | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  | } | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) { | 
		
	
		
			
				|  |  |  |  | // ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config | 
		
	
		
			
				|  |  |  |  | func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) { | 
		
	
		
			
				|  |  |  |  | 	ret := kubeauthenticator.Config{ | 
		
	
		
			
				|  |  |  |  | 		TokenSuccessCacheTTL: s.TokenSuccessCacheTTL, | 
		
	
		
			
				|  |  |  |  | 		TokenFailureCacheTTL: s.TokenFailureCacheTTL, | 
		
	
		
			
				|  |  |  |  | 		TokenSuccessCacheTTL: o.TokenSuccessCacheTTL, | 
		
	
		
			
				|  |  |  |  | 		TokenFailureCacheTTL: o.TokenFailureCacheTTL, | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.Anonymous != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.Anonymous = s.Anonymous.Allow | 
		
	
		
			
				|  |  |  |  | 	if o.Anonymous != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.Anonymous = o.Anonymous.Allow | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.BootstrapToken != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.BootstrapToken = s.BootstrapToken.Enable | 
		
	
		
			
				|  |  |  |  | 	if o.BootstrapToken != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.BootstrapToken = o.BootstrapToken.Enable | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.ClientCert != nil { | 
		
	
		
			
				|  |  |  |  | 	if o.ClientCert != nil { | 
		
	
		
			
				|  |  |  |  | 		var err error | 
		
	
		
			
				|  |  |  |  | 		ret.ClientCAContentProvider, err = s.ClientCert.GetClientCAContentProvider() | 
		
	
		
			
				|  |  |  |  | 		ret.ClientCAContentProvider, err = o.ClientCert.GetClientCAContentProvider() | 
		
	
		
			
				|  |  |  |  | 		if err != nil { | 
		
	
		
			
				|  |  |  |  | 			return kubeauthenticator.Config{}, err | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.OIDC != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCCAFile = s.OIDC.CAFile | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCClientID = s.OIDC.ClientID | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCGroupsClaim = s.OIDC.GroupsClaim | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCGroupsPrefix = s.OIDC.GroupsPrefix | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCIssuerURL = s.OIDC.IssuerURL | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCUsernameClaim = s.OIDC.UsernameClaim | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCSigningAlgs = s.OIDC.SigningAlgs | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCRequiredClaims = s.OIDC.RequiredClaims | 
		
	
		
			
				|  |  |  |  | 	if o.OIDC != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCCAFile = o.OIDC.CAFile | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCClientID = o.OIDC.ClientID | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCGroupsClaim = o.OIDC.GroupsClaim | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCGroupsPrefix = o.OIDC.GroupsPrefix | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCIssuerURL = o.OIDC.IssuerURL | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCUsernameClaim = o.OIDC.UsernameClaim | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCUsernamePrefix = o.OIDC.UsernamePrefix | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCSigningAlgs = o.OIDC.SigningAlgs | 
		
	
		
			
				|  |  |  |  | 		ret.OIDCRequiredClaims = o.OIDC.RequiredClaims | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.RequestHeader != nil { | 
		
	
		
			
				|  |  |  |  | 	if o.RequestHeader != nil { | 
		
	
		
			
				|  |  |  |  | 		var err error | 
		
	
		
			
				|  |  |  |  | 		ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig() | 
		
	
		
			
				|  |  |  |  | 		ret.RequestHeaderConfig, err = o.RequestHeader.ToAuthenticationRequestHeaderConfig() | 
		
	
		
			
				|  |  |  |  | 		if err != nil { | 
		
	
		
			
				|  |  |  |  | 			return kubeauthenticator.Config{}, err | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	ret.APIAudiences = s.APIAudiences | 
		
	
		
			
				|  |  |  |  | 	if s.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 		if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 { | 
		
	
		
			
				|  |  |  |  | 			ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer} | 
		
	
		
			
				|  |  |  |  | 	ret.APIAudiences = o.APIAudiences | 
		
	
		
			
				|  |  |  |  | 	if o.ServiceAccounts != nil { | 
		
	
		
			
				|  |  |  |  | 		if o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 { | 
		
	
		
			
				|  |  |  |  | 			ret.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer} | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountKeyFiles = o.ServiceAccounts.KeyFiles | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountIssuer = o.ServiceAccounts.Issuer | 
		
	
		
			
				|  |  |  |  | 		ret.ServiceAccountLookup = o.ServiceAccounts.Lookup | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.TokenFile != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.TokenAuthFile = s.TokenFile.TokenFile | 
		
	
		
			
				|  |  |  |  | 	if o.TokenFile != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.TokenAuthFile = o.TokenFile.TokenFile | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 	if s.WebHook != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnVersion = s.WebHook.Version | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL | 
		
	
		
			
				|  |  |  |  | 	if o.WebHook != nil { | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnConfigFile = o.WebHook.ConfigFile | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnVersion = o.WebHook.Version | 
		
	
		
			
				|  |  |  |  | 		ret.WebhookTokenAuthnCacheTTL = o.WebHook.CacheTTL | 
		
	
		
			
				|  |  |  |  |  | 
		
	
		
			
				|  |  |  |  | 		if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 { | 
		
	
		
			
				|  |  |  |  | 			if s.TokenSuccessCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenSuccessCacheTTL { | 
		
	
		
			
				|  |  |  |  | 				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL) | 
		
	
		
			
				|  |  |  |  | 		if len(o.WebHook.ConfigFile) > 0 && o.WebHook.CacheTTL > 0 { | 
		
	
		
			
				|  |  |  |  | 			if o.TokenSuccessCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenSuccessCacheTTL { | 
		
	
		
			
				|  |  |  |  | 				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", o.WebHook.CacheTTL, o.TokenSuccessCacheTTL) | 
		
	
		
			
				|  |  |  |  | 			} | 
		
	
		
			
				|  |  |  |  | 			if s.TokenFailureCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenFailureCacheTTL { | 
		
	
		
			
				|  |  |  |  | 				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL) | 
		
	
		
			
				|  |  |  |  | 			if o.TokenFailureCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenFailureCacheTTL { | 
		
	
		
			
				|  |  |  |  | 				klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", o.WebHook.CacheTTL, o.TokenFailureCacheTTL) | 
		
	
		
			
				|  |  |  |  | 			} | 
		
	
		
			
				|  |  |  |  | 		} | 
		
	
		
			
				|  |  |  |  | 	} | 
		
	
	
		
			
				
					
					|  |  |  |   |