)

// DiscoveryDoc - parses the output from openid-configuration
// for example http://localhost:8080/auth/realms/minio/.well-known/openid-configuration
type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#

| azp        | _string_       | The authorized party for which the token is issued to. The client identifier of the OAuth client that the token is issued for, is sent herewith.                                        |

## Prerequisites

Install Dex by following [Dex Getting Started Guide](https://dexidp.io/docs/getting-started/)

### Start Dex

```
~ ./bin/dex serve dex.yaml
time="2020-07-12T20:45:50Z" level=info msg="config issuer: http://127.0.0.1:5556/dex"
time="2020-07-12T20:45:50Z" level=info msg="config storage: sqlite3"
time="2020-07-12T20:45:50Z" level=info msg="config static client: Example App"

The following self-signed certificate is issued for `consoleAdmin`. So, MinIO would associate it with the pre-defined `consoleAdmin` policy.

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:ac:60:46:ad:8d:de:18:dc:0b:f6:98:14:ee:89:e8
        Signature Algorithm: ED25519
        Issuer: CN = consoleAdmin
        Validity

    val names =
      acceptedIssuers
        .map { it.subjectDN.name }
        .toSet()

    // It's safe to assume all platforms will have a major Internet certificate issuer.
    assertThat(names).matchesPredicate { strings ->
      strings.any { it.matches(Regex("[A-Z]+=Entrust.*")) }
    }
  }

  private fun startTlsServer(): InetSocketAddress {

)

func (c *OperatorDNS) addAuthHeader(r *http.Request) error {
	if c.username == "" || c.password == "" {
		return nil
	}

	claims := &jwt.StandardClaims{
		ExpiresAt: int64(15 * time.Minute),
		Issuer:    c.username,
		Subject:   config.EnvDNSWebhook,
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
	ss, err := token.SignedString([]byte(c.password))
	if err != nil {
		return err
	}

pkg crypto/x509, type RevocationList struct, AuthorityKeyId []uint8 #50674
pkg crypto/x509, type RevocationList struct, Extensions []pkix.Extension #50674
pkg crypto/x509, type RevocationList struct, Issuer pkix.Name #50674
pkg crypto/x509, type RevocationList struct, Raw []uint8 #50674
pkg crypto/x509, type RevocationList struct, RawIssuer []uint8 #50674
pkg crypto/x509, type RevocationList struct, RawTBSRevocationList []uint8 #50674

	claims[expClaim] = UTCNow().Add(expiry).Unix()
	claims[subClaim] = certificate.Subject.CommonName
	claims[audClaim] = certificate.Subject.Organization
	claims[issClaim] = certificate.Issuer.CommonName
	claims[parentClaim] = parentUser
	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
	if tokenRevokeType != "" {
		claims[tokenRevokeTypeClaim] = tokenRevokeType
	}

## Known Issues

- Completed pods lose logs across node upgrade ([#32324](https://github.com/kubernetes/kubernetes/issues/32324))
- Pods are deleted across node upgrade ([#32323](https://github.com/kubernetes/kubernetes/issues/32323))
- Secure master -> node communication ([#11816](https://github.com/kubernetes/kubernetes/issues/11816))