diff --git a/Makefile b/Makefile index eac4b82..3292c19 100644 --- a/Makefile +++ b/Makefile @@ -18,10 +18,12 @@ help: ## Display this help. ##@ Development +EXTERNAL_CRDS=./config/crd/external .PHONY: generate generate: tools ## Generates required resources for the controller to work properly (see config/ folder) $(LOCALBIN)/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases - $(call fetch-external-crds,github.com/openshift/api,route/v1) + rm -rf $(EXTERNAL_CRDS) + $(call fetch-external-crds,github.com/openshift/api,route/v1,$(EXTERNAL_CRDS)) SRC_DIRS:=./controllers ./test SRCS:=$(shell find ${SRC_DIRS} -name "*.go") diff --git a/config/crd/external/authorino.kuadrant.io_authconfigs.yaml b/config/crd/external/authorino.kuadrant.io_authconfigs.yaml deleted file mode 100644 index 4ecc144..0000000 --- a/config/crd/external/authorino.kuadrant.io_authconfigs.yaml +++ /dev/null @@ -1,2379 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.13.0 - name: authconfigs.authorino.kuadrant.io -spec: - group: authorino.kuadrant.io - names: - kind: AuthConfig - listKind: AuthConfigList - plural: authconfigs - singular: authconfig - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Ready for all hosts - jsonPath: .status.summary.ready - name: Ready - type: string - - description: Number of hosts ready - jsonPath: .status.summary.numHostsReady - name: Hosts - type: string - - description: Number of trusted identity sources - jsonPath: .status.summary.numIdentitySources - name: Authentication - priority: 2 - type: integer - - description: Number of external metadata sources - jsonPath: .status.summary.numMetadataSources - name: Metadata - priority: 2 - type: integer - - description: Number of authorization policies - jsonPath: .status.summary.numAuthorizationPolicies - name: Authorization - priority: 2 - type: integer - - description: Number of items added to the authorization response - jsonPath: .status.summary.numResponseItems - name: Response - priority: 2 - type: integer - - description: Whether issuing Festival Wristbands - jsonPath: .status.summary.festivalWristbandEnabled - name: Wristband - priority: 2 - type: boolean - name: v1beta1 - schema: - openAPIV3Schema: - description: AuthConfig is the schema for Authorino's AuthConfig API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specifies the desired state of the AuthConfig resource, i.e. - the authencation/authorization scheme to be applied to protect the matching - service hosts. - properties: - authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. - items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' - properties: - authzed: - description: Authzed authorization - properties: - endpoint: - description: Endpoint of the Authzed service. - type: string - insecure: - description: Insecure HTTP connection (i.e. disables TLS - verification) - type: boolean - permission: - description: The name of the permission (or relation) on - which to execute the check. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - resource: - description: The resource on which to check the permission - or relation. - properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be used by Authorino to authenticate with the Authzed - service. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - subject: - description: The subject that will be checked for the permission - or relation. - properties: - kind: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - required: - - endpoint - type: object - cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. - properties: - key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - json: - description: JSON pattern matching authorization policy. - properties: - rules: - description: The rules that must all evaluate to "true" - for the request to be authorized. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. - type: string - type: object - type: array - required: - - rules - type: object - kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` - Path and Verb are inferred from the request. - properties: - groups: - description: Groups to test for. - items: - type: string - type: array - resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. - properties: - group: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - name: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - namespace: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - resource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - subresource: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - verb: - description: StaticOrDynamicValue is either a constant - static string value or a config for fetching a value - from a dynamic source (e.g. a path pattern of authorization - JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - type: object - type: object - user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - required: - - user - type: object - metrics: - default: false - description: Whether this authorization config should generate - individual observability metrics - type: boolean - name: - description: Name of the authorization policy. It can be used - to refer to the resolved authorization object in other configs. - type: string - opa: - description: Open Policy Agent (OPA) authorization policy. - properties: - allValues: - default: false - description: Returns the value of all Rego rules in the - virtual document. Values can be read in subsequent evaluators/phases - of the Auth Pipeline. Otherwise, only the default `allow` - rule will be exposed. Returning all Rego rules can affect - performance of OPA policies during reconciliation (policy - precompile) and at runtime. - type: boolean - externalRegistry: - description: External registry of OPA policies. - properties: - credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). - type: string - sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - ttl: - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - type: object - inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. - type: string - type: object - priority: - default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - callbacks: - description: List of callback configs. Authorino sends callbacks to - specified endpoints at the end of the auth pipeline. - items: - description: Endpoints to callback at the end of each auth pipeline. - properties: - http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. - properties: - body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - contentType: - default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string - headers: - description: Custom headers in the HTTP request. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - method: - default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' - enum: - - GET - - POST - type: string - oauth2: - description: Authentication with the HTTP service by OAuth2 - Client Credentials grant. - properties: - cache: - default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. - type: boolean - clientId: - description: OAuth2 Client ID. - type: string - clientSecretRef: - description: Reference to a Kubernetes Secret key that - stores that OAuth2 Client Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - extraParams: - additionalProperties: - type: string - description: Optional extra parameters for the requests - to the token URL. - type: object - scopes: - description: Optional scopes for the client credentials - grant, if supported by he OAuth2 server. - items: - type: string - type: array - tokenUrl: - description: Token endpoint URL of the OAuth2 resource - server. - type: string - required: - - clientId - - clientSecretRef - - tokenUrl - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - required: - - endpoint - type: object - metrics: - default: false - description: Whether this callback config should generate individual - observability metrics - type: boolean - name: - description: Name of the callback. It can be used to refer to - the resolved callback response in other configs. - type: string - priority: - default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to perform this callback. - If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to - be attempted; otherwise, the callback will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - required: - - http - - name - type: object - type: array - denyWith: - description: Custom denial response codes, statuses and headers to - override default 40x's. - properties: - unauthenticated: - description: Denial status customization when the request is unauthenticated. - properties: - body: - description: HTTP response body to override the default denial - body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default denial - status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - unauthorized: - description: Denial status customization when the request is unauthorized. - properties: - body: - description: HTTP response body to override the default denial - body. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - code: - description: HTTP status code to override the default denial - status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - type: object - type: object - hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. - items: - type: string - type: array - identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. - items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' - properties: - anonymous: - type: object - apiKey: - properties: - allNamespaces: - default: false - description: Whether Authorino should look for API key secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. - type: boolean - selector: - description: Label selector used by Authorino to match secrets - from the cluster storing valid credentials to authenticate - to this service - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity objects - for this config. - properties: - key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). - properties: - in: - default: authorization_header - description: The location in the request where client credentials - shall be passed on requests authenticating with this identity - source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. - type: string - required: - - keySelector - type: object - extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. - items: - properties: - name: - description: The name of the JSON property - type: string - overwrite: - default: false - description: Whether the value should overwrite the value - of an existing property with the same name. - type: boolean - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - required: - - name - type: object - type: array - kubernetes: - properties: - audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. - items: - type: string - type: array - type: object - metrics: - default: false - description: Whether this identity config should generate individual - observability metrics - type: boolean - mtls: - properties: - allNamespaces: - default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. - type: boolean - selector: - description: Label selector used by Authorino to match secrets - from the cluster storing trusted CA certificates to validate - clients trying to authenticate to this service - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - selector - type: object - name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It can be used - to refer to the resolved identity object in other configs. - type: string - oauth2: - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the OAuth2 - server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - tokenIntrospectionUrl: - description: The full URL of the token introspection endpoint. - type: string - tokenTypeHint: - description: The token type hint for the token introspection. - If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - tokenIntrospectionUrl - type: object - oidc: - properties: - endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. - type: string - ttl: - description: Decides how long to wait before refreshing - the OIDC configuration (in seconds). - type: integer - required: - - endpoint - type: object - plain: - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson can be - used. The following string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' - type: string - type: object - priority: - default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. - items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' - properties: - cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. - properties: - key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. - properties: - body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - contentType: - default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string - headers: - description: Custom headers in the HTTP request. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - method: - default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' - enum: - - GET - - POST - type: string - oauth2: - description: Authentication with the HTTP service by OAuth2 - Client Credentials grant. - properties: - cache: - default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. - type: boolean - clientId: - description: OAuth2 Client ID. - type: string - clientSecretRef: - description: Reference to a Kubernetes Secret key that - stores that OAuth2 Client Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - extraParams: - additionalProperties: - type: string - description: Optional extra parameters for the requests - to the token URL. - type: object - scopes: - description: Optional scopes for the client credentials - grant, if supported by he OAuth2 server. - items: - type: string - type: array - tokenUrl: - description: Token endpoint URL of the OAuth2 resource - server. - type: string - required: - - clientId - - clientSecretRef - - tokenUrl - type: object - sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - required: - - endpoint - type: object - metrics: - default: false - description: Whether this metadata config should generate individual - observability metrics - type: boolean - name: - description: The name of the metadata source. It can be used - to refer to the resolved metadata object in other configs. - type: string - priority: - default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - uma: - description: User-Managed Access (UMA) source of resource data. - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the resource - registration API of the UMA server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - x-kubernetes-map-type: atomic - endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. - type: string - required: - - credentialsRef - - endpoint - type: object - userInfo: - description: OpendID Connect UserInfo linked to an OIDC identity - config of this same spec. - properties: - identitySource: - description: The name of an OIDC identity source included - in the "identity" section and whose OpenID Connect configuration - discovered includes the OIDC "userinfo_endpoint" claim. - type: string - required: - - identitySource - type: object - when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be - applied; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - required: - - name - type: object - type: array - patterns: - additionalProperties: - items: - properties: - operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. - type: string - type: object - type: array - description: Named sets of JSON patterns that can be referred in `when` - conditionals and in JSON-pattern matching policy rules. - type: object - response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. - items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' - properties: - cache: - description: Caching options for dynamic responses built when - applying this config. Omit it to avoid caching dynamic responses - for this config. - properties: - key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - ttl: - default: 60 - description: Duration (in seconds) of the external data - in the cache before pulled again from the source. - type: integer - required: - - key - type: object - json: - properties: - properties: - description: List of JSON property-value pairs to be added - to the dynamic response. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - required: - - properties - type: object - metrics: - default: false - description: Whether this response config should generate individual - observability metrics - type: boolean - name: - description: Name of the custom response. It can be used to - refer to the resolved response object in other configs. - type: string - plain: - description: StaticOrDynamicValue is either a constant static - string value or a config for fetching a value from a dynamic - source (e.g. a path pattern of authorization JSON) - properties: - value: - description: Static value - type: string - valueFrom: - description: Dynamic value - properties: - authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' - type: string - type: object - type: object - priority: - default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. - type: integer - when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced for - all requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. - items: - properties: - all: - description: A list of pattern expressions to be evaluated - as a logical AND. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - any: - description: A list of pattern expressions to be evaluated - as a logical OR. - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - patternRef: - description: Name of a named pattern - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. - type: string - type: object - type: array - wrapper: - default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata - enum: - - httpHeader - - envoyDynamicMetadata - type: string - wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. - type: string - wristband: - properties: - customClaims: - description: Any claims to be added to the wristband token - apart from the standard JWT claims (iss, iat, exp) added - by default. - items: - properties: - name: - description: The name of the JSON property - type: string - value: - description: Static value of the JSON property - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the JSON property - properties: - authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' - type: string - type: object - required: - - name - type: object - type: array - issuer: - description: 'The endpoint to the Authorino service that - issues the wristband (format: ://:/, - where = /