openshift
diff --git a/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
Lines changed: 470 additions & 0 deletions b/‎config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
Lines changed: 470 additions & 0 deletions
diff --git a/‎config/v1/types_authentication.go
Lines changed: 10 additions & 2 deletions b/‎config/v1/types_authentication.go
Lines changed: 10 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-CustomNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-Default.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-DevPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Hypershift-TechPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-CustomNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-DevPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-SelfManagedHA-TechPreviewNoUpgrade.crd.yaml
Lines changed: 15 additions & 2 deletions
diff --git a/‎config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml
Lines changed: 15 additions & 2 deletions b/‎config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml
Lines changed: 15 additions & 2 deletions
@@ -91,6 +91,7 @@ type AuthenticationSpec struct {
 	// +kubebuilder:validation:MaxItems=1
 	// +openshift:enable:FeatureGate=ExternalOIDC
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	// +optional
 	OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
 }
 
@@ -253,9 +254,16 @@ type TokenIssuer struct {
 	// The Kubernetes API server determines how authentication tokens should be handled
 	// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 	//
-	// issuerURL must use the 'https' scheme.
+	// Must be at least 1 character and must not exceed 512 characters in length.
+	// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
 	//
-	// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL"
+	// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="must use the 'https' scheme"
+	// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="must not have a query"
+	// +kubebuilder:validation:XValidation:rule="self.find('#(.+)$') == ''",message="must not have a fragment"
+	// +kubebuilder:validation:XValidation:rule="self.find('@') == ''",message="must not have user info"
+	// +kubebuilder:validation:MaxLength=512
+	// +kubebuilder:validation:MinLength=1
 	// +required
 	URL string `json:"issuerURL"`
 
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -290,9 +290,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -441,9 +441,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL
 
@@ -291,9 +291,22 @@ spec:
                             The Kubernetes API server determines how authentication tokens should be handled
                             by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 
-                            issuerURL must use the 'https' scheme.
-                          pattern: ^https:\/\/[^\s]
+                            Must be at least 1 character and must not exceed 512 characters in length.
+                            Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+                          maxLength: 512
+                          minLength: 1
                           type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid URL
+                            rule: isURL(self)
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
+                          - message: must not have a query
+                            rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must not have a fragment
+                            rule: self.find('#(.+)$') == ''
+                          - message: must not have user info
+                            rule: self.find('@') == ''
                       required:
                       - audiences
                       - issuerURL