Merge branch 'master' into bugfix/fix_secret_discovery

Author: ajanikow

.golangci.yaml

@@ -87,6 +87,8 @@ linters-settings:
         pkg: github.com/arangodb/kube-arangodb/integrations/storage/v2/shared/s3
       - alias: pbStorageV2
         pkg: github.com/arangodb/kube-arangodb/integrations/storage/v2/definition
+      - alias: api
+        pkg: github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1
       - alias: analyticsApi
         pkg: github.com/arangodb/kube-arangodb/pkg/apis/analytics/v1alpha1
       - alias: mlApiv1alpha1
@@ -97,6 +99,8 @@ linters-settings:
         pkg: github.com/arangodb/kube-arangodb/pkg/apis/networking/v1alpha1
       - alias: platformApi
         pkg: github.com/arangodb/kube-arangodb/pkg/apis/platform/v1alpha1
+      - alias: platformAuthenticationApi
+        pkg: github.com/arangodb/kube-arangodb/pkg/apis/platform/v1alpha1/authentication
       - alias: schedulerApiv1alpha1
         pkg: github.com/arangodb/kube-arangodb/pkg/apis/scheduler/v1alpha1
       - alias: schedulerContainerApiv1alpha1

CHANGELOG.md

@@ -7,6 +7,14 @@
 - (Feature) Ensure Group Service Type
 - (Maintenance) Fix Helm & JWT CVE's
 - (Feature) (Platform) Improve CLI Values
+- (Feature) (Platform) Envoy Cache Introduction
+- (Feature) (Platform) OpenID Integration - API Extension
+- (Feature) Windows Platform CLI
+- (Feature) (Platform) Auth User Creation
+- (Maintenance) Add Common Api Import
+- (Feature) Previous Pod Logs in DebugPackage
+- (Feature) (Platform) Login & Logout Endpoints
+- (Feature) (Platform) OpenID Integration
 - (Bugfix) Align JWT Discovery
 
 ## [1.2.48](https://github.com/arangodb/kube-arangodb/tree/1.2.48) (2025-05-08)

Makefile

@@ -248,39 +248,78 @@ BIN_PLATFORM_NAME := $(PROJECT)_platform
 BIN_PLATFORM := $(BINDIR)/$(BIN_PLATFORM_NAME)
 
 define binary
+$(eval $(call binary_operator,$1,$2,$3))
+$(eval $(call binary_ops,$1,$2,$3))
+$(eval $(call binary_int,$1,$2,$3))
+$(eval $(call binary_platform,$1,$2,$3))
+endef
+
+define binary_operator
 $(eval _OS:=$(call UPPER_ENV,$1))
 $(eval _ARCH:=$(call UPPER_ENV,$2))
-VBIN_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BINNAME)
-VBIN_OPS_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_OPS_NAME)
-VBIN_INT_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_INT_NAME)
-VBIN_PLATFORM_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_PLATFORM_NAME)
 
-$$(VBIN_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
+VBIN_OPERATOR_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BINNAME)$3
+
+.PHONY: $$(VBIN_OPERATOR_$(_OS)_$(_ARCH))
+
+$$(VBIN_OPERATOR_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
 	@mkdir -p $(BINDIR)/$(RELEASE_MODE)/$1/$2
 	CGO_ENABLED=0 GOOS=$1 GOARCH=$2 go build $${GOBUILDARGS} --tags "$$(GOBUILDTAGS)" $$(COMPILE_DEBUG_FLAGS) -installsuffix netgo -gcflags=all="$$(GOBUILDGCFLAGS)" -ldflags "$$(GOBUILDLDFLAGS)" -o $$@ ./cmd/main
 
-$$(VBIN_OPS_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
-	@mkdir -p $(BINDIR)/$(RELEASE_MODE)/$1/$2
-	CGO_ENABLED=0 GOOS=$1 GOARCH=$2 go build $${GOBUILDARGS} --tags "$$(GOBUILDTAGS)" $$(COMPILE_DEBUG_FLAGS) -installsuffix netgo -gcflags=all="$$(GOBUILDGCFLAGS)" -ldflags "$$(GOBUILDLDFLAGS)" -o $$@ ./cmd/main-ops
+bin-all: $$(VBIN_OPERATOR_$(_OS)_$(_ARCH))
+endef
+
+define binary_int
+$(eval _OS:=$(call UPPER_ENV,$1))
+$(eval _ARCH:=$(call UPPER_ENV,$2))
+
+VBIN_INT_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_INT_NAME)$3
+
+.PHONY: $$(VBIN_INT_$(_OS)_$(_ARCH))
 
 $$(VBIN_INT_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
 	@mkdir -p $(BINDIR)/$(RELEASE_MODE)/$1/$2
 	CGO_ENABLED=0 GOOS=$1 GOARCH=$2 go build $${GOBUILDARGS} --tags "$$(GOBUILDTAGS)" $$(COMPILE_DEBUG_FLAGS) -installsuffix netgo -gcflags=all="$$(GOBUILDGCFLAGS)" -ldflags "$$(GOBUILDLDFLAGS)" -o $$@ ./cmd/main-int
 
+bin-all: $$(VBIN_INT_$(_OS)_$(_ARCH))
+endef
+
+define binary_ops
+$(eval _OS:=$(call UPPER_ENV,$1))
+$(eval _ARCH:=$(call UPPER_ENV,$2))
+
+VBIN_OPS_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_OPS_NAME)$3
+
+.PHONY: $$(VBIN_OPS_$(_OS)_$(_ARCH))
+
+$$(VBIN_OPS_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
+	@mkdir -p $(BINDIR)/$(RELEASE_MODE)/$1/$2
+	CGO_ENABLED=0 GOOS=$1 GOARCH=$2 go build $${GOBUILDARGS} --tags "$$(GOBUILDTAGS)" $$(COMPILE_DEBUG_FLAGS) -installsuffix netgo -gcflags=all="$$(GOBUILDGCFLAGS)" -ldflags "$$(GOBUILDLDFLAGS)" -o $$@ ./cmd/main-ops
+
+bin-all: $$(VBIN_OPS_$(_OS)_$(_ARCH))
+endef
+
+define binary_platform
+$(eval _OS:=$(call UPPER_ENV,$1))
+$(eval _ARCH:=$(call UPPER_ENV,$2))
+
+VBIN_PLATFORM_$(_OS)_$(_ARCH) := $(BINDIR)/$(RELEASE_MODE)/$1/$2/$(BIN_PLATFORM_NAME)$3
+
 .PHONY: $$(VBIN_PLATFORM_$(_OS)_$(_ARCH))
 
 $$(VBIN_PLATFORM_$(_OS)_$(_ARCH)): $$(SOURCES) dashboard/assets.go VERSION
 	@mkdir -p $(BINDIR)/$(RELEASE_MODE)/$1/$2
 	CGO_ENABLED=0 GOOS=$1 GOARCH=$2 go build $${GOBUILDARGS} --tags "$$(GOBUILDTAGS)" $$(COMPILE_DEBUG_FLAGS) -installsuffix netgo -gcflags=all="$$(GOBUILDGCFLAGS)" -ldflags "$$(GOBUILDLDFLAGS)" -o $$@ ./cmd/main-platform
 
-bin-all: $$(VBIN_$(_OS)_$(_ARCH)) $$(VBIN_OPS_$(_OS)_$(_ARCH)) $$(VBIN_INT_$(_OS)_$(_ARCH)) $$(VBIN_PLATFORM_$(_OS)_$(_ARCH))
-
+bin-all: $$(VBIN_PLATFORM_$(_OS)_$(_ARCH))
 endef
 
 $(eval $(call binary,linux,amd64))
 $(eval $(call binary,linux,arm64))
 $(eval $(call binary,darwin,amd64))
 $(eval $(call binary,darwin,arm64))
+$(eval $(call binary_platform,windows,amd64,.exe))
+$(eval $(call binary_platform,windows,arm64,.exe))
 
 ifdef VERBOSE
 	TESTVERBOSEOPTIONS := -v
@@ -405,7 +444,7 @@ endif
 
 .PHONY: clean
 clean:
-	rm -Rf $(BIN) $(BINDIR) $(DASHBOARDDIR)/build $(DASHBOARDDIR)/node_modules $(VBIN_LINUX_AMD64) $(VBIN_LINUX_ARM64) $(VBIN_OPS_LINUX_AMD64) $(VBIN_OPS_LINUX_ARM64) $(VBIN_OPS_DARWIN_AMD64) $(VBIN_OPS_DARWIN_ARM64) $(VBIN_OPS_WIN_AMD64)
+	rm -Rf $(BIN) $(BINDIR) $(DASHBOARDDIR)/build $(DASHBOARDDIR)/node_modules $(VBIN_OPERATOR_LINUX_AMD64) $(VBIN_OPERATOR_LINUX_ARM64) $(VBIN_OPS_LINUX_AMD64) $(VBIN_OPS_LINUX_ARM64) $(VBIN_OPS_DARWIN_AMD64) $(VBIN_OPS_DARWIN_ARM64) $(VBIN_OPS_WIN_AMD64)
 
 .PHONY: check-vars
 check-vars:
@@ -474,12 +513,12 @@ dashboard/assets.go:
 .PHONY: bin
 bin: $(BIN)
 
-$(BIN): $(VBIN_LINUX_AMD64) $(VBIN_OPS_LINUX_AMD64) $(VBIN_INT_LINUX_AMD64) $(VBIN_PLATFORM_LINUX_AMD64)
-	@cp "$(VBIN_LINUX_AMD64)" "$(BIN)"
+$(BIN): $(VBIN_OPERATOR_LINUX_AMD64) $(VBIN_OPS_LINUX_AMD64) $(VBIN_INT_LINUX_AMD64) $(VBIN_PLATFORM_LINUX_AMD64)
+	@cp "$(VBIN_OPERATOR_LINUX_AMD64)" "$(BIN)"
 	@cp "$(VBIN_OPS_LINUX_AMD64)" "$(BIN_OPS)"
 
 .PHONY: docker
-docker: clean check-vars $(VBIN_LINUX_AMD64) $(VBIN_LINUX_ARM64)
+docker: clean check-vars $(VBIN_OPERATOR_LINUX_AMD64) $(VBIN_OPERATOR_LINUX_ARM64)
 ifdef PUSHIMAGES
 	docker buildx build --no-cache -f $(DOCKERFILE) --build-arg "ENVOY_IMAGE=$(ENVOY_IMAGE)" --build-arg GOVERSION=$(GOVERSION) --build-arg DISTRIBUTION=$(DISTRIBUTION) \
 		--build-arg "VERSION=${VERSION_MAJOR_MINOR_PATCH}" --build-arg "RELEASE_MODE=$(RELEASE_MODE)" --build-arg "BUILD_SKIP_UPDATE=${BUILD_SKIP_UPDATE}" \
@@ -491,7 +530,7 @@ else
 endif
 
 .PHONY: docker-ubi
-docker-ubi: check-vars $(VBIN_LINUX_AMD64)
+docker-ubi: check-vars $(VBIN_OPERATOR_LINUX_AMD64)
 ifdef PUSHIMAGES
 	docker buildx build --no-cache -f "$(DOCKERFILE).ubi" --build-arg "ENVOY_IMAGE=$(ENVOY_IMAGE)" --build-arg GOVERSION=$(GOVERSION) --build-arg DISTRIBUTION=$(DISTRIBUTION) \
 		--build-arg "VERSION=${VERSION_MAJOR_MINOR_PATCH}" --build-arg "RELEASE_MODE=$(RELEASE_MODE)" \

README.md

@@ -201,7 +201,7 @@ Flags:
       --kubernetes.max-batch-size int                          Size of batch during objects read (default 256)
       --kubernetes.qps float32                                 Number of queries per second for k8s API (default 32)
       --log.format string                                      Set log format. Allowed values: 'pretty', 'JSON'. If empty, default format is used (default "pretty")
-      --log.level stringArray                                  Set log levels in format <level> or <logger>=<level>. Possible loggers: action, agency, api-server, assertion, backup-operator, chaos-monkey, crd, deployment, deployment-ci, deployment-reconcile, deployment-replication, deployment-resilience, deployment-resources, deployment-storage, deployment-storage-pc, deployment-storage-service, generic-parent-operator, helm, http, inspector, integration-authn-v1, integration-config-v1, integration-envoy-auth-v3, integration-envoy-auth-v3-impl-auth-bearer, integration-envoy-auth-v3-impl-auth-cookie, integration-envoy-auth-v3-impl-pass-mode, integration-scheduler-v2, integration-storage-v1-s3, integration-storage-v2, integrations, k8s-client, kubernetes, kubernetes-access, kubernetes-client, kubernetes-informer, monitor, networking-route-operator, operator, operator-arangojob-handler, operator-v2, operator-v2-event, operator-v2-worker, panics, platform-chart-operator, platform-pod-shutdown, platform-storage-operator, pod_compare, root, root-event-recorder, scheduler-batchjob-operator, scheduler-cronjob-operator, scheduler-deployment-operator, scheduler-pod-operator, scheduler-profile-operator, server, server-authentication, webhook (default [info])
+      --log.level stringArray                                  Set log levels in format <level> or <logger>=<level>. Possible loggers: action, agency, api-server, assertion, backup-operator, chaos-monkey, crd, deployment, deployment-ci, deployment-reconcile, deployment-replication, deployment-resilience, deployment-resources, deployment-storage, deployment-storage-pc, deployment-storage-service, generic-parent-operator, helm, http, inspector, integration-authn-v1, integration-config-v1, integration-envoy-auth-v3, integration-envoy-auth-v3-impl-auth-bearer, integration-envoy-auth-v3-impl-auth-cookie, integration-envoy-auth-v3-impl-custom-openid, integration-envoy-auth-v3-impl-pass-mode, integration-scheduler-v2, integration-storage-v1-s3, integration-storage-v2, integrations, k8s-client, kubernetes, kubernetes-access, kubernetes-client, kubernetes-informer, monitor, networking-route-operator, operator, operator-arangojob-handler, operator-v2, operator-v2-event, operator-v2-worker, panics, platform-chart-operator, platform-pod-shutdown, platform-storage-operator, pod_compare, root, root-event-recorder, scheduler-batchjob-operator, scheduler-cronjob-operator, scheduler-deployment-operator, scheduler-pod-operator, scheduler-profile-operator, server, server-authentication, webhook (default [info])
       --log.sampling                                           If true, operator will try to minimize duplication of logging events (default true)
       --log.stdout                                             If true, operator will log to the stdout (default true)
       --memory-limit uint                                      Define memory limit for hard shutdown and the dump of goroutines. Used for testing

cmd/lifecycle_wait.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -28,7 +28,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	v1 "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
+	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
 	"github.com/arangodb/kube-arangodb/pkg/util"
 	"github.com/arangodb/kube-arangodb/pkg/util/constants"
 )
@@ -82,7 +82,7 @@ func cmdLifecycleWaitCheck(cmd *cobra.Command, _ []string) {
 		}
 
 		if isUpToDate {
-			logger.Info(fmt.Sprintf("ArangoDeployment: %s is %s", d.Name, v1.ConditionTypeUpToDate))
+			logger.Info(fmt.Sprintf("ArangoDeployment: %s is %s", d.Name, api.ConditionTypeUpToDate))
 			return
 		}
 
@@ -93,7 +93,7 @@ func cmdLifecycleWaitCheck(cmd *cobra.Command, _ []string) {
 			logger.Info("ArangoDeployment: %s is not ready yet. Waiting...", d.Name)
 			continue
 		case <-time.After(watchTimeout):
-			logger.Error("ArangoDeployment: %s is not %s yet - operation timed out!", d.Name, v1.ConditionTypeUpToDate)
+			logger.Error("ArangoDeployment: %s is not %s yet - operation timed out!", d.Name, api.ConditionTypeUpToDate)
 			return
 		}
 	}

docs/api/ArangoDeployment.V1.md

@@ -3137,6 +3137,49 @@ Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.
 
 ***
 
+### .spec.gateway.authentication.secret.checksum
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L61)</sup>
+
+UID keeps the information about object Checksum
+
+***
+
+### .spec.gateway.authentication.secret.name
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L52)</sup>
+
+Name of the object
+
+***
+
+### .spec.gateway.authentication.secret.namespace
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L55)</sup>
+
+Namespace of the object. Should default to the namespace of the parent object
+
+***
+
+### .spec.gateway.authentication.secret.uid
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L58)</sup>
+
+UID keeps the information about object UID
+
+***
+
+### .spec.gateway.authentication.type
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway_authentication.go#L51)</sup>
+
+Type defines the Authentication Type
+
+Possible Values: 
+* `"OpenID"` (default) - Configure OpenID Authentication Type
+
+***
+
 ### .spec.gateway.cookiesSupport
 
 Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L49)</sup>
@@ -3147,10 +3190,20 @@ Default Value: `true`
 
 ***
 
-### .spec.gateway.defaultTargetAuthentication
+### .spec.gateway.createUsers
 
 Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L53)</sup>
 
+CreateUsers defines if authenticated users will be created in ArangoDB
+
+Default Value: `false`
+
+***
+
+### .spec.gateway.defaultTargetAuthentication
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L57)</sup>
+
 DefaultTargetAuthentication defines if default endpoints check authentication via envoy (Cookie and Header based auth)
 
 Default Value: `true`
@@ -3190,7 +3243,7 @@ By default, the image is determined by the operator.
 
 ### .spec.gateway.timeout
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L58)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L62)</sup>
 
 Timeout defines default timeout for the upstream actions (if not overridden)
 

docs/api/ArangoPlatform.V1Alpha1.Authentication.OpenID.md

@@ -0,0 +1,99 @@
+---
+layout: page
+parent: CRD reference
+title: ArangoPlatform V1Alpha1 Authentication OpenID
+---
+
+# API Reference for ArangoPlatform V1Alpha1 Authentication OpenID
+
+## 
+
+### .client.id
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L223)</sup>
+
+ID defines OpenID Client ID
+
+***
+
+### .client.secret
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L226)</sup>
+
+Secret defines OpenID Client Secret
+
+***
+
+### .disabledPaths
+
+Type: `array` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L67)</sup>
+
+DisabledPaths keeps the list of SSO disabled paths. By default, "_logout" endpoint is passed through
+
+***
+
+### .endpoint
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L61)</sup>
+
+Endpoint defines the OpenID callback Endpoint
+
+***
+
+### .http.insecure
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L179)</sup>
+
+Insecure defines if insecure HTTP Client is used
+
+Default Value: `false`
+
+***
+
+### .provider..authorizationEndpoint
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L210)</sup>
+
+AuthorizationEndpoint defines OpenID Authorization Endpoint
+
+Links:
+* [Documentation](https://www.ibm.com/docs/en/was-liberty/base?topic=connect-openid-endpoint-urls#rwlp_oidc_endpoint_urls__auth_endpoint__title__1)
+
+***
+
+### .provider..tokenEndpoint
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L214)</sup>
+
+TokenEndpoint defines OpenID Token Endpoint
+
+Links:
+* [Documentation](https://www.ibm.com/docs/en/was-liberty/base?topic=connect-openid-endpoint-urls#rwlp_oidc_endpoint_urls__token_endpoint__title__1)
+
+***
+
+### .provider..userInfoEndpoint
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L218)</sup>
+
+UserInfoEndpoint defines OpenID UserInfo Endpoint
+
+Links:
+* [Documentation](https://www.ibm.com/docs/en/was-liberty/base?topic=connect-openid-endpoint-urls#rwlp_oidc_endpoint_urls__userinfo_endpoint__title__1)
+
+***
+
+### .provider.issuer
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L204)</sup>
+
+Issuer defines OpenID Issuer
+
+***
+
+### .scope
+
+Type: `array` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/platform/v1alpha1/authentication/openid.go#L64)</sup>
+
+Scope defines OpenID Scopes (OpenID is added by default).
+