GenerateToken is shared between internal and external signer code to ensure that claim merging logic remains consistent between them.

JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter.

JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey.

NewOpenIDMetadataProvider returns a provider for the OIDC discovery endpoints, or an error if they could not be constructed.

StaticPublicKeysGetter constructs an implementation of PublicKeysGetter which returns all public keys when key id is unspecified, and returns the public keys matching the keyIDFromPublicKey-derived key id when a key id is specified.

Extended expiration for those modified tokens involved in safe rollout if time-bound feature.

JWKSPath is the URL path at which the API server serves a JWKS containing the public keys that may be used to sign Kubernetes Service Account keys.

OpenIDConfigPath is the URL path at which the API server serves an OIDC Provider Configuration Information document, corresponding to the Kubernetes Service Account key issuer.

Injected bound service account token expiration which triggers monitoring of its time-bound feature.

Listener is an interface to use to notify interested parties of a change.

OpenIDMetadataProvider returns pre-rendered responses for OIDC discovery endpoints.

PublicKeysGetter returns public keys for a given key id.

ServiceAccountTokenGetter defines functions to retrieve a named service account and secret.

Validator is called by the JWT token authenticator to apply domain specific validation to a token and extract user information.