From 26ba0fd8b3ac25450928d7dda456d6ce00240dd5 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Wed, 2 Oct 2024 23:40:56 +0200 Subject: [PATCH] authorino-operator v0.13.0 Signed-off-by: Eguzki Astiz Lezaun --- ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 20 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 18 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 43 + ...authorino-operator-metrics_v1_service.yaml | 16 + ...horino-operator.clusterserviceversion.yaml | 519 ++ .../authorino-webhooks_v1_service.yaml | 18 + .../authorino.kuadrant.io_authconfigs.yaml | 4971 +++++++++++++++++ .../manager-config_v1_configmap.yaml | 17 + ...ator.authorino.kuadrant.io_authorinos.yaml | 283 + .../0.13.0/metadata/annotations.yaml | 16 + .../0.13.0/tests/scorecard/config.yaml | 70 + 12 files changed, 6014 insertions(+) create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-operator-metrics_v1_service.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-operator.clusterserviceversion.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino-webhooks_v1_service.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/authorino.kuadrant.io_authconfigs.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/manager-config_v1_configmap.yaml create mode 100644 operators/authorino-operator/0.13.0/manifests/operator.authorino.kuadrant.io_authorinos.yaml create mode 100644 operators/authorino-operator/0.13.0/metadata/annotations.yaml create mode 100644 operators/authorino-operator/0.13.0/tests/scorecard/config.yaml diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..6e94ba7ed57 --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-authconfig-editor-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..e9f571b4ed1 --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-authconfig-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-authconfig-viewer-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - get + - list + - watch +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..ba77ebba56a --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-manager-k8s-auth-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-manager-k8s-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..d110e1be815 --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: authorino-manager-role +rules: +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-operator-metrics_v1_service.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-operator-metrics_v1_service.yaml new file mode 100644 index 00000000000..2674b2dc0c7 --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-operator-metrics_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + control-plane: authorino-operator + name: authorino-operator-metrics +spec: + ports: + - name: metrics + port: 8080 + targetPort: metrics + selector: + control-plane: authorino-operator +status: + loadBalancer: {} diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-operator.clusterserviceversion.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..2c4d7aafe17 --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-operator.clusterserviceversion.yaml @@ -0,0 +1,519 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "authorino.kuadrant.io/v1beta1", + "kind": "AuthConfig", + "metadata": { + "name": "my-api-protection" + }, + "spec": { + "hosts": [ + "my-api.io" + ], + "identity": [ + { + "apiKey": { + "selector": { + "matchLabels": { + "group": "friends" + } + } + }, + "credentials": { + "in": "authorization_header", + "keySelector": "APIKEY" + }, + "name": "api-key-users" + } + ] + } + }, + { + "apiVersion": "authorino.kuadrant.io/v1beta2", + "kind": "AuthConfig", + "metadata": { + "name": "my-api-protection" + }, + "spec": { + "authentication": { + "api-key-users": { + "apiKey": { + "selector": { + "matchLabels": { + "group": "friends" + } + } + }, + "credentials": { + "authorizationHeader": { + "prefix": "APIKEY" + } + } + } + }, + "hosts": [ + "my-api.io" + ] + } + }, + { + "apiVersion": "operator.authorino.kuadrant.io/v1beta1", + "kind": "Authorino", + "metadata": { + "name": "authorino-sample" + }, + "spec": { + "listener": { + "tls": { + "enabled": false + } + }, + "oidcServer": { + "tls": { + "enabled": false + } + } + } + } + ] + capabilities: Basic Install + categories: Integration & Delivery + containerImage: quay.io/kuadrant/authorino-operator:v0.13.0 + createdAt: "2024-10-02T16:41:48Z" + operators.operatorframework.io/builder: operator-sdk-v1.32.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + repository: https://github.com/Kuadrant/authorino-operator + support: kuadrant + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/arch.ppc64le: supported + operatorframework.io/arch.s390x: supported + operatorframework.io/os.linux: supported + name: authorino-operator.v0.13.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: API to describe the desired protection for a service + displayName: AuthConfig + kind: AuthConfig + name: authconfigs.authorino.kuadrant.io + version: v1beta1 + - description: API to describe the desired protection for a service + displayName: AuthConfig + kind: AuthConfig + name: authconfigs.authorino.kuadrant.io + version: v1beta2 + - description: API to create instances of authorino + displayName: Authorino + kind: Authorino + name: authorinos.operator.authorino.kuadrant.io + version: v1beta1 + description: The operator to manage instances of Authorino + displayName: Authorino Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAIAAAAiOjnJAAAHCklEQVR4nOzc72tWdQPH8e+tm/ecXGNO77mb3beZLgtkDxpCgT4IBBFqJT1YRqFS5oMS/BG5ioqhUc3IFKwHpqHSg9qDsCwIQeiBQoEotISyzcwa6bI5Nlyms8X4Lp1u1zzXub6f8/2ea+/XH3DO58GbXeec69opGhgYMIBrE3wPQGEiLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBR5HtAJI89uqytvT2fI2zetHnxkiXuFgn1d3eead44s3FLUXml7y3xpSOstvb24998m88Rurq63M0R6u/uPPlkw6VjZy+dbJi7uyW9bfFRGJBrVRljLh07++Mrz/heFB9hhWJ4VVbvgdZTL6z0Oio+wgrCyKqs7g+/+mX7855G5YWw/MtWldW5bf/5lh2Jj8oXYXk2dlVWR/POvtbDCY5ygLB8ilKVMeZq1+X2Dev7uzuT2uUAYXkTsSrrSltv+/o0XcgTlh85VWVd/PLUufdfU45yibA8iFGV1bF5X1outggraX2th+NVZZ1uesn1IgnCSlRf6+EfVj4duyr7RD4VT7YIKzm2qqtdl/M8Tue2/X/+dMLRKBXCSoirqqzTTc85OY4OYSXBbVX2DrH7iw9cHU2BsOScV2X9/NZ2twd0i7C0RFXZR6Yhf4dIWEK6qqyO5p3Bfs9DWCrqqux3iGf3btUdPx+EJZFAVdaFzw6pTxEPYbmXWFUhX2kRlmNJVmX9+t7exM4VHWG5lHxV9o9Wz5EDSZ4xCsJyxktV1rmP9iV/0rERlhseq7L/zxPacwfCcsBvVdbvH+/yePaRCCtfIVQ1GNbnB/0OuAlh5SWQquzvtIL6LQ1hxRdOVVb3oU98T7iOsGIKrarQPg0JK44Aq7KfhuHcGxJWzsKsyuo+2OJ7whDCyk3IVRljeo4f9T1hCGHl4HzLju8eXBVsVcaYi0dDuTEkrKjOt+w40xji7wiGu9LWG8hlFmFFkoqqrL4TX/ueYAgrkhRVNXiZdfSI7wmGsG4tXVUZY/7I7/XSrhDWWFJX1eBlVsdvvicYwhpLGquyj0l9TzCElVVKq7JCeNURYY0i1VUZY/p7LvieQFgjpL2qwev371t9TyCsGxVAVYPX7709vicQ1jCFUVUgCGtIIVUVwqMswjIFVpUx5q/ei74nEFbBVRWI8R4WVYmM67CoSmdchwWdcR3W9IY1M5vX+F5RmMZ1WLSlM97Doi0RwjKF19aEzBTfEwjrH4XU1uQ5c3xPIKxhCqkt7wjrBoXRVnGmzPcEwhqhANqafGet7wmENZq0t1VUNtX3BMLKItVtldYu9D2BsLJLaVsldVW+JxjCuoU0tlVc/R/fEwxh3Vrq2grhIRZhRZKutsrmL/A9wRBWVClqq3TePb4nGMLKQSraKq7JFJVX+l5hCCs30xvW3PXprokVk3wPyWrK/Hm+JwwhrNyU1i68Y8+7wbZVdvd83xOGEFbOQm6rfHGD7wlDCCuOMNsqqasK5AKLsOILsK1p9y/2PeE6woovtLbKFz3ke8J1hJWXcNoqqav6922h3BISlgOBtBXU5yBhuRFCW9MeXuXx7CMRlht+28rU14ZzP2gRljMe25rxyPLkTzo2wnLJS1vFNZmyBfVJnjEKwnIs+bb++9SKxM4VHWG5l2RbxTWZ6Q0h/uaCsCQSa2vqA4vUp4iHsFQSaGtixaSqFRt0x88HYQmp26puXB3aU4ZrCEtL11awV1cWYcmJ2vr/s2vdHtAtwkqC87am3De7fMnjro6mQFgJcdvWrKY3nRxHh7CS46qtynVLg/qFzKgIK1G2rXxer1BSV/W/tW84HSVBWEkrrV04d3dL7LZmNb3qepEEYXlQVF4Zr63ql5eH8IqiKAjLjxhtZeprZzzxonKUS4TlTU5tFddkbt/0jn6UM4TlU8S2JlZMmrP17WC/vRkVYXkWpa3qxtVpubS6hrD8G7utynVLQ/5OMBvCCkK2tsqX3ZuKp1YjEVYoRraVqa+d/foer6PiI6yADG+rpK4qXbeBNynyPSCSmrxf2FpRUeFoi5Zt60zzxpmNW9J1G3iTfw0MDPjegALERyEkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxI/B0AAP//uLJ9vDn6iowAAAAASUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - delete + - get + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/finalizers + verbs: + - update + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos/status + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - update + - watch + serviceAccountName: authorino-operator + deployments: + - label: + control-plane: authorino-operator + name: authorino-operator + spec: + replicas: 1 + selector: + matchLabels: + control-plane: authorino-operator + strategy: {} + template: + metadata: + labels: + control-plane: authorino-operator + spec: + containers: + - args: + - --leader-elect + command: + - /manager + image: quay.io/kuadrant/authorino-operator:v0.13.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 8080 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 300Mi + requests: + cpu: 200m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true + serviceAccountName: authorino-operator + terminationGracePeriodSeconds: 10 + - label: + app: authorino + authorino-component: authorino-webhooks + name: authorino-webhooks + spec: + selector: + matchLabels: + app: authorino + authorino-component: authorino-webhooks + strategy: {} + template: + metadata: + labels: + app: authorino + authorino-component: authorino-webhooks + spec: + containers: + - command: + - authorino + - webhooks + image: quay.io/kuadrant/authorino:v0.18.0 + name: webhooks + ports: + - containerPort: 9443 + name: webhooks + - containerPort: 8080 + name: metrics + - containerPort: 8081 + name: healthz + resources: {} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: authorino-webhook-server-cert + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: authorino-operator + - rules: + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs/status + verbs: + - get + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - get + - list + - update + serviceAccountName: default + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - Authorino + - Authorino Operator + - Kuadrant + - Authorization + - Authentication + links: + - name: Authorino Operator + url: https://github.com/Kuadrant/authorino-operator + - name: Authorino + url: https://github.com/Kuadrant/authorino + maintainers: + - email: dcesare@redhat.com + name: Didier Di Cesare + - email: eastizle@redhat.com + name: Eguzki Astiz Lezaun + - email: mcassola@redhat.com + name: Guilherme Cassolato + maturity: alpha + minKubeVersion: 1.25.0 + provider: + name: Red Hat + version: 0.13.0 + webhookdefinitions: + - admissionReviewVersions: + - v1beta1 + - v1beta2 + containerPort: 443 + conversionCRDs: + - authconfigs.authorino.kuadrant.io + deploymentName: authorino-webhooks + generateName: cauthconfigs.kb.io + sideEffects: None + targetPort: 9443 + type: ConversionWebhook + webhookPath: /convert + replaces: authorino-operator.v0.12.0 diff --git a/operators/authorino-operator/0.13.0/manifests/authorino-webhooks_v1_service.yaml b/operators/authorino-operator/0.13.0/manifests/authorino-webhooks_v1_service.yaml new file mode 100644 index 00000000000..ccdb679c48f --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino-webhooks_v1_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: authorino + authorino-component: authorino-webhooks + name: authorino-webhooks +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: authorino + authorino-component: authorino-webhooks +status: + loadBalancer: {} diff --git a/operators/authorino-operator/0.13.0/manifests/authorino.kuadrant.io_authconfigs.yaml b/operators/authorino-operator/0.13.0/manifests/authorino.kuadrant.io_authconfigs.yaml new file mode 100644 index 00000000000..2444becc07f --- /dev/null +++ b/operators/authorino-operator/0.13.0/manifests/authorino.kuadrant.io_authconfigs.yaml @@ -0,0 +1,4971 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert + controller-gen.kubebuilder.io/version: v0.15.0 + creationTimestamp: null + name: authconfigs.authorino.kuadrant.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: authorino-webhooks + namespace: authorino-operator + path: /convert + conversionReviewVersions: + - v1beta1 + - v1beta2 + group: authorino.kuadrant.io + names: + kind: AuthConfig + listKind: AuthConfigList + plural: authconfigs + singular: authconfig + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Ready for all hosts + jsonPath: .status.summary.ready + name: Ready + type: string + - description: Number of hosts ready + jsonPath: .status.summary.numHostsReady + name: Hosts + type: string + - description: Number of trusted identity sources + jsonPath: .status.summary.numIdentitySources + name: Authentication + priority: 2 + type: integer + - description: Number of external metadata sources + jsonPath: .status.summary.numMetadataSources + name: Metadata + priority: 2 + type: integer + - description: Number of authorization policies + jsonPath: .status.summary.numAuthorizationPolicies + name: Authorization + priority: 2 + type: integer + - description: Number of items added to the authorization response + jsonPath: .status.summary.numResponseItems + name: Response + priority: 2 + type: integer + - description: Whether issuing Festival Wristbands + jsonPath: .status.summary.festivalWristbandEnabled + name: Wristband + priority: 2 + type: boolean + name: v1beta1 + schema: + openAPIV3Schema: + description: AuthConfig is the schema for Authorino's AuthConfig API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specifies the desired state of the AuthConfig resource, i.e. + the authencation/authorization scheme to be applied to protect the matching + service hosts. + properties: + authorization: + description: |- + Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + items: + description: |- + Authorization policy to be enforced. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + oneOf: + - properties: + name: {} + opa: {} + required: + - name + - opa + - properties: + json: {} + name: {} + required: + - name + - json + - properties: + kubernetes: {} + name: {} + required: + - name + - kubernetes + - properties: + authzed: {} + name: {} + required: + - name + - authzed + properties: + authzed: + description: Authzed authorization + properties: + endpoint: + description: Endpoint of the Authzed service. + type: string + insecure: + description: Insecure HTTP connection (i.e. disables TLS + verification) + type: boolean + permission: + description: The name of the permission (or relation) on + which to execute the check. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the permission + or relation. + properties: + kind: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + type: object + required: + - endpoint + type: object + cache: + description: |- + Caching options for the policy evaluation results when enforcing this config. + Omit it to avoid caching policy evaluation results for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + description: JSON pattern matching authorization policy. + properties: + rules: + description: The rules that must all evaluate to "true" + for the request to be authorized. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - rules + type: object + kubernetes: + description: |- + Kubernetes authorization policy based on `SubjectAccessReview` + Path and Verb are inferred from the request. + properties: + groups: + description: Groups to test for. + items: + type: string + type: array + resourceAttributes: + description: |- + Use ResourceAttributes for checking permissions on Kubernetes resources + If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + properties: + group: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + namespace: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + resource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + subresource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + verb: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + type: object + user: + description: |- + User to test for. + If without "Groups", then is it interpreted as "What if User were not a member of any groups" + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + required: + - user + type: object + metrics: + default: false + description: Whether this authorization config should generate + individual observability metrics + type: boolean + name: + description: |- + Name of the authorization policy. + It can be used to refer to the resolved authorization object in other configs. + type: string + opa: + description: Open Policy Agent (OPA) authorization policy. + properties: + allValues: + default: false + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + type: boolean + externalRegistry: + description: External registry of OPA policies. + properties: + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: |- + Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or application/json content-type. + In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + type: string + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + type: object + inlineRego: + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. + type: string + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this authorization policy. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + callbacks: + description: |- + List of callback configs. + Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + items: + description: Endpoints to callback at the end of each auth pipeline. + properties: + http: + description: Generic HTTP interface to obtain authorization + metadata from a HTTP service. + properties: + body: + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + bodyParameters: + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + contentType: + default: application/x-www-form-urlencoded + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + type: string + headers: + description: Custom headers in the HTTP request. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + method: + default: GET + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. + enum: + - GET + - POST + type: string + oauth2: + description: Authentication with the HTTP service by OAuth2 + Client Credentials grant. + properties: + cache: + default: true + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kubernetes Secret key that + stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + required: + - endpoint + type: object + metrics: + default: false + description: Whether this callback config should generate individual + observability metrics + type: boolean + name: + description: |- + Name of the callback. + It can be used to refer to the resolved callback response in other configs. + type: string + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to perform this callback. + If omitted, the callback will be attempted for all requests. + If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - http + - name + type: object + type: array + denyWith: + description: Custom denial response codes, statuses and headers to + override default 40x's. + properties: + unauthenticated: + description: Denial status customization when the request is unauthenticated. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + type: object + unauthorized: + description: Denial status customization when the request is unauthorized. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + type: object + type: object + hosts: + description: |- + The list of public host names of the services protected by this authentication/authorization scheme. + Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + items: + type: string + type: array + identity: + description: |- + List of identity sources/authentication modes. + At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + items: + description: |- + The identity source/authentication mode config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + oneOf: + - properties: + credentials: {} + name: {} + oauth2: {} + required: + - name + - oauth2 + - properties: + credentials: {} + name: {} + oidc: {} + required: + - name + - oidc + - properties: + apiKey: {} + credentials: {} + name: {} + required: + - name + - apiKey + - properties: + credentials: {} + mtls: {} + name: {} + required: + - name + - mtls + - properties: + credentials: {} + kubernetes: {} + name: {} + required: + - name + - kubernetes + - properties: + anonymous: {} + credentials: {} + name: {} + required: + - name + - anonymous + - properties: + credentials: {} + name: {} + plain: {} + required: + - name + - plain + properties: + anonymous: + type: object + apiKey: + properties: + allNamespaces: + default: false + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing valid credentials to authenticate + to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + cache: + description: |- + Caching options for the identity resolved when applying this config. + Omit it to avoid caching identity objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + credentials: + description: |- + Defines where client credentials are required to be passed in the request for this identity source/authentication mode. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + properties: + in: + default: authorization_header + description: The location in the request where client credentials + shall be passed on requests authenticating with this identity + source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + extendedProperties: + description: |- + Extends the resolved identity object with additional custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + items: + properties: + name: + description: The name of the JSON property + type: string + overwrite: + default: false + description: Whether the value should overwrite the value + of an existing property with the same name. + type: boolean + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + kubernetes: + properties: + audiences: + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this identity config should generate individual + observability metrics + type: boolean + mtls: + properties: + allNamespaces: + default: false + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + name: + description: |- + The name of this identity source/authentication mode. + It usually identifies a source of identities or group of users/clients of the protected service. + It can be used to refer to the resolved identity object in other configs. + type: string + oauth2: + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the OAuth2 + server. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + tokenIntrospectionUrl: + description: The full URL of the token introspection endpoint. + type: string + tokenTypeHint: + description: |- + The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - tokenIntrospectionUrl + type: object + oidc: + properties: + endpoint: + description: |- + Endpoint of the OIDC issuer. + Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the OIDC configuration (in seconds). + type: integer + required: + - endpoint + type: object + plain: + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this identity config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + metadata: + description: |- + List of metadata source configs. + Authorino fetches JSON content from sources on this list on every request. + items: + description: |- + The metadata config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + oneOf: + - properties: + name: {} + userInfo: {} + required: + - name + - userInfo + - properties: + name: {} + uma: {} + required: + - name + - uma + - properties: + http: {} + name: {} + required: + - name + - http + properties: + cache: + description: |- + Caching options for the external metadata fetched when applying this config. + Omit it to avoid caching metadata from this source. + properties: + key: + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Generic HTTP interface to obtain authorization + metadata from a HTTP service. + properties: + body: + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + bodyParameters: + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + contentType: + default: application/x-www-form-urlencoded + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + type: string + headers: + description: Custom headers in the HTTP request. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + method: + default: GET + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. + enum: + - GET + - POST + type: string + oauth2: + description: Authentication with the HTTP service by OAuth2 + Client Credentials grant. + properties: + cache: + default: true + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kubernetes Secret key that + stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + required: + - endpoint + type: object + metrics: + default: false + description: Whether this metadata config should generate individual + observability metrics + type: boolean + name: + description: |- + The name of the metadata source. + It can be used to refer to the resolved metadata object in other configs. + type: string + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + uma: + description: User-Managed Access (UMA) source of resource data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the resource + registration API of the UMA server. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC identity + config of this same spec. + properties: + identitySource: + description: The name of an OIDC identity source included + in the "identity" section and whose OpenID Connect configuration + discovered includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: |- + Conditions for Authorino to apply this metadata config. + If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + patterns: + additionalProperties: + items: + properties: + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + description: Named sets of JSON patterns that can be referred in `when` + conditionals and in JSON-pattern matching policy rules. + type: object + response: + description: |- + List of response configs. + Authorino gathers data from the auth pipeline to build custom responses for the client. + items: + description: |- + Dynamic response to return to the client. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + oneOf: + - properties: + name: {} + wristband: {} + required: + - name + - wristband + - properties: + json: {} + name: {} + required: + - name + - json + - properties: + name: {} + plain: {} + required: + - name + - plain + properties: + cache: + description: |- + Caching options for dynamic responses built when applying this config. + Omit it to avoid caching dynamic responses for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + properties: + properties: + description: List of JSON property-value pairs to be added + to the dynamic response. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + required: + - properties + type: object + metrics: + default: false + description: Whether this response config should generate individual + observability metrics + type: boolean + name: + description: |- + Name of the custom response. + It can be used to refer to the resolved response object in other configs. + type: string + plain: + description: StaticOrDynamicValue is either a constant static + string value or a config for fetching a value from a dynamic + source (e.g. a path pattern of authorization JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this custom response config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + wrapper: + default: httpHeader + description: |- + How Authorino wraps the response. + Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + enum: + - httpHeader + - envoyDynamicMetadata + type: string + wrapperKey: + description: |- + The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). + If omitted, it will be set to the name of the configuration. + type: string + wristband: + properties: + customClaims: + description: Any claims to be added to the wristband token + apart from the standard JWT claims (iss, iat, exp) added + by default. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + required: + - name + type: object + type: array + issuer: + description: 'The endpoint to the Authorino service that + issues the wristband (format: ://:/, + where = /://:/, + where = /://:/, + where = /