Nest claim configs one level deeper in JWTAuthenticatorSpec

Signed-off-by: Margo Crawford <[email protected]>

apis/concierge/authentication/v1alpha1/types_jwt.go.tmpl

@@ -27,19 +27,28 @@ type JWTAuthenticatorSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Audience string `json:"audience"`
 
-    // UsernameClaim is the name of the claim which should be read to extract the
-    // username from the JWT token. When not specified, it will default to "username".
+    // Claims allows customization of the claims that will be mapped to user identity
+    // for Kubernetes access.
 	// +optional
-    UsernameClaim string `json:"username_claim"`
+	Claims JWTTokenClaims `json:"claims"`
 
-    // GroupsClaim is the name of the claim which should be read to extract the user's
+	// TLS configuration for communicating with the OIDC provider.
+	// +optional
+	TLS *TLSSpec `json:"tls,omitempty"`
+}
+
+// JWTTokenClaims allows customization of the claims that will be mapped to user identity
+// for Kubernetes access.
+type JWTTokenClaims struct {
+	// Groups is the name of the claim which should be read to extract the user's
     // group membership from the JWT token. When not specified, it will default to "groups".
 	// +optional
-    GroupsClaim string `json:"groups_claim"`
+	Groups string `json:"groups"`
 
-	// TLS configuration for communicating with the OIDC provider.
+	// Username is the name of the claim which should be read to extract the
+    // username from the JWT token. When not specified, it will default to "username".
 	// +optional
-	TLS *TLSSpec `json:"tls,omitempty"`
+	Username string `json:"username"`
 }
 
 // JWTAuthenticator describes the configuration of a JWT authenticator.

deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml

@@ -51,11 +51,21 @@ spec:
                 description: Audience is the required value of the "aud" JWT claim.
                 minLength: 1
                 type: string
-              groups_claim:
-                description: GroupsClaim is the name of the claim which should be
-                  read to extract the user's group membership from the JWT token.
-                  When not specified, it will default to "groups".
-                type: string
+              claims:
+                description: Claims allows customization of the claims that will be
+                  mapped to user identity for Kubernetes access.
+                properties:
+                  groups:
+                    description: Groups is the name of the claim which should be read
+                      to extract the user's group membership from the JWT token. When
+                      not specified, it will default to "groups".
+                    type: string
+                  username:
+                    description: Username is the name of the claim which should be
+                      read to extract the username from the JWT token. When not specified,
+                      it will default to "username".
+                    type: string
+                type: object
               issuer:
                 description: Issuer is the OIDC issuer URL that will be used to discover
                   public signing keys. Issuer is also used to validate the "iss" JWT
@@ -71,11 +81,6 @@ spec:
                       If omitted, a default set of system roots will be trusted.
                     type: string
                 type: object
-              username_claim:
-                description: UsernameClaim is the name of the claim which should be
-                  read to extract the username from the JWT token. When not specified,
-                  it will default to "username".
-                type: string
             required:
             - audience
             - issuer