@@ -374,6 +374,12 @@ If you want to switch to using structured authentication configuration, you have
374374command line arguments, and use the configuration file instead.
375375{{< /note >}}
376376
377+ {{< feature-state feature_gate_name="StructuredAuthenticationConfigurationEgressSelector" >}}
378+
379+ The _egressSelectorType_ field in the JWT issuer configuration allows you to specify which egress selector
380+ should be used for sending all traffic related to the issuer (discovery, JWKS, distributed claims, etc).
381+ This feature requires the `StructuredAuthenticationConfigurationEgressSelector` feature gate to be enabled.
382+
377383` ` ` yaml
378384---
379385#
@@ -411,6 +417,13 @@ jwt:
411417 - my-other-app
412418 # this is required to be set to "MatchAny" when multiple audiences are specified.
413419 audienceMatchPolicy: MatchAny
420+ # egressSelectorType is an indicator of which egress selection should be used for sending all traffic related
421+ # to this issuer (discovery, JWKS, distributed claims, etc). If unspecified, no custom dialer is used.
422+ # When specified, the valid choices are "controlplane" and "cluster". These correspond to the associated
423+ # values in the --egress-selector-config-file.
424+ # - controlplane: for traffic intended to go to the control plane.
425+ # - cluster: for traffic intended to go to the system being managed by Kubernetes.
426+ egressSelectorType: <egress-selector-type>
414427 # rules applied to validate token claims to authenticate users.
415428 claimValidationRules:
416429 # Same as --oidc-required-claim key=value.
696709# ##### Limitations
697710
6987111. Distributed claims do not work via [CEL](/docs/reference/using-api/cel/) expressions.
699- 1. Egress selector configuration is not supported for calls to `issuer.url` and `issuer.discoveryURL`.
700712
701713Kubernetes does not provide an OpenID Connect Identity Provider.
702714You can use an existing public OpenID Connect Identity Provider or run your own Identity Provider
0 commit comments