diff --git a/build.yaml b/build.yaml new file mode 100644 index 00000000..9baf75f1 --- /dev/null +++ b/build.yaml @@ -0,0 +1,3 @@ +config: + authorinoImage: quay.io/kuadrant/authorino:v0.17.2 + replaces: authorino-operator.v0.11.1 diff --git a/bundle.Dockerfile b/bundle.Dockerfile index d758f920..929b93b2 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -5,7 +5,8 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=authorino-operator -LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channels.v1=preview +LABEL operators.operatorframework.io.bundle.channel.default.v1=stable LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 diff --git a/bundle/manifests/authorino-operator.clusterserviceversion.yaml b/bundle/manifests/authorino-operator.clusterserviceversion.yaml index 4b336748..73e5802e 100644 --- a/bundle/manifests/authorino-operator.clusterserviceversion.yaml +++ b/bundle/manifests/authorino-operator.clusterserviceversion.yaml @@ -82,8 +82,8 @@ metadata: ] capabilities: Basic Install categories: Integration & Delivery - containerImage: quay.io/kuadrant/authorino-operator:latest - createdAt: "2024-08-15T19:27:09Z" + containerImage: quay.io/kuadrant/authorino-operator:v0.12.0-rc1 + createdAt: "2024-08-26T10:53:28Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/authorino-operator @@ -93,7 +93,7 @@ metadata: operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported operatorframework.io/os.linux: supported - name: authorino-operator.v0.0.0 + name: authorino-operator.v0.12.0-rc1 namespace: placeholder spec: apiservicedefinitions: {} @@ -319,7 +319,7 @@ spec: - --leader-elect command: - /manager - image: quay.io/kuadrant/authorino-operator:latest + image: quay.io/kuadrant/authorino-operator:v0.12.0-rc1 livenessProbe: httpGet: path: /healthz @@ -369,7 +369,7 @@ spec: - command: - authorino - webhooks - image: quay.io/kuadrant/authorino:latest + image: quay.io/kuadrant/authorino:v0.17.2 name: webhooks ports: - containerPort: 9443 @@ -495,7 +495,7 @@ spec: minKubeVersion: 1.8.0 provider: name: Red Hat - version: 0.0.0 + version: 0.12.0-rc1 webhookdefinitions: - admissionReviewVersions: - v1beta1 @@ -509,3 +509,4 @@ spec: targetPort: 9443 type: ConversionWebhook webhookPath: /convert + replaces: authorino-operator.v0.11.1 diff --git a/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml b/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml index ee1d552b..b6f2bcd7 100644 --- a/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml +++ b/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.9.0 creationTimestamp: null name: authconfigs.authorino.kuadrant.io spec: @@ -66,19 +66,14 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -88,13 +83,13 @@ spec: service hosts. properties: authorization: - description: |- - Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. items: - description: |- - Authorization policy to be enforced. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' oneOf: - properties: name: {} @@ -142,12 +137,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -168,12 +166,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -190,12 +193,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -234,12 +242,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -256,12 +269,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -270,14 +288,14 @@ spec: - endpoint type: object cache: - description: |- - Caching options for the policy evaluation results when enforcing this config. - Omit it to avoid caching policy evaluation results for this config. + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -286,12 +304,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -346,9 +367,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -360,14 +384,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -375,8 +401,7 @@ spec: - rules type: object kubernetes: - description: |- - Kubernetes authorization policy based on `SubjectAccessReview` + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -385,9 +410,10 @@ spec: type: string type: array resourceAttributes: - description: |- - Use ResourceAttributes for checking permissions on Kubernetes resources - If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -402,12 +428,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -424,12 +455,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -446,12 +482,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -468,12 +509,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -490,12 +536,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -512,20 +563,25 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object type: object user: - description: |- - User to test for. - If without "Groups", then is it interpreted as "What if User were not a member of any groups" + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" properties: value: description: Static value @@ -534,12 +590,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -552,27 +611,30 @@ spec: individual observability metrics type: boolean name: - description: |- - Name of the authorization policy. - It can be used to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. properties: in: default: authorization_header @@ -586,24 +648,32 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or application/json content-type. - In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. properties: key: description: The key of the secret to select from. Must @@ -623,23 +693,24 @@ spec: type: integer type: object inlineRego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this authorization policy. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -677,9 +748,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -691,14 +764,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -707,9 +782,8 @@ spec: type: object type: array callbacks: - description: |- - List of callback configs. - Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -718,10 +792,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -730,20 +804,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -756,12 +834,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -770,17 +852,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -794,20 +879,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -823,12 +911,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -837,9 +929,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -850,9 +943,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -895,10 +988,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -921,21 +1014,20 @@ spec: observability metrics type: boolean name: - description: |- - Name of the callback. - It can be used to refer to the resolved callback response in other configs. + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to perform this callback. + description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -953,9 +1045,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -967,14 +1061,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1001,12 +1097,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1032,12 +1131,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1054,12 +1156,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1078,12 +1183,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1109,12 +1217,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1131,32 +1242,37 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. items: type: string type: array identity: - description: |- - List of identity sources/authentication modes. - At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. items: - description: |- - The identity source/authentication mode config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' oneOf: - properties: credentials: {} @@ -1214,9 +1330,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1227,8 +1344,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1236,16 +1353,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1257,25 +1375,25 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object cache: - description: |- - Caching options for the identity resolved when applying this config. - Omit it to avoid caching identity objects for this config. + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1284,12 +1402,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1302,9 +1423,11 @@ spec: - key type: object credentials: - description: |- - Defines where client credentials are required to be passed in the request for this identity source/authentication mode. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1318,18 +1441,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: |- - Extends the resolved identity object with additional custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. items: properties: name: @@ -1347,12 +1475,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1362,9 +1493,11 @@ spec: kubernetes: properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. items: type: string type: array @@ -1378,9 +1511,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1391,8 +1525,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1400,16 +1534,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1421,21 +1556,21 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object name: - description: |- - The name of this identity source/authentication mode. - It usually identifies a source of identities or group of users/clients of the protected service. - It can be used to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1445,19 +1580,15 @@ spec: server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1467,10 +1598,14 @@ spec: oidc: properties: endpoint: - description: |- - Endpoint of the OIDC issuer. - Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1482,25 +1617,28 @@ spec: plain: properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this identity config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1538,9 +1676,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1552,14 +1692,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1568,13 +1710,12 @@ spec: type: object type: array metadata: - description: |- - List of metadata source configs. - Authorino fetches JSON content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. items: - description: |- - The metadata config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' oneOf: - properties: name: {} @@ -1596,14 +1737,14 @@ spec: - http properties: cache: - description: |- - Caching options for the external metadata fetched when applying this config. - Omit it to avoid caching metadata from this source. + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1612,12 +1753,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1634,10 +1778,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1646,20 +1790,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -1672,12 +1820,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1686,17 +1838,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -1710,20 +1865,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1739,12 +1897,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1753,9 +1915,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -1766,9 +1929,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1811,10 +1974,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1837,15 +2000,14 @@ spec: observability metrics type: boolean name: - description: |- - The name of the metadata source. - It can be used to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1856,17 +2018,14 @@ spec: registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1885,10 +2044,10 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to apply this metadata config. - If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1926,9 +2085,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1940,14 +2101,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1960,9 +2123,11 @@ spec: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1971,14 +2136,16 @@ spec: - matches type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. type: string type: object type: array @@ -1986,13 +2153,12 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: |- - List of response configs. - Authorino gathers data from the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. items: - description: |- - Dynamic response to return to the client. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' oneOf: - properties: name: {} @@ -2014,14 +2180,14 @@ spec: - plain properties: cache: - description: |- - Caching options for dynamic responses built when applying this config. - Omit it to avoid caching dynamic responses for this config. + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -2030,12 +2196,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -2064,12 +2233,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2085,9 +2258,8 @@ spec: observability metrics type: boolean name: - description: |- - Name of the custom response. - It can be used to refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -2101,26 +2273,29 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this custom response config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -2158,9 +2333,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -2172,30 +2349,32 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: |- - How Authorino wraps the response. - Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: |- - The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). - If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -2215,12 +2394,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2233,9 +2416,10 @@ spec: where = / = / = /=1.19.0-0" type: application # The version will be properly set when the chart is released matching the operator version -version: "0.0.0" +version: "0.12.0-rc1" maintainers: - email: mcassola@redhat.com name: Guilherme Cassolato diff --git a/charts/authorino-operator/templates/manifests.yaml b/charts/authorino-operator/templates/manifests.yaml index d03f50f0..74079c13 100644 --- a/charts/authorino-operator/templates/manifests.yaml +++ b/charts/authorino-operator/templates/manifests.yaml @@ -6171,7 +6171,7 @@ spec: - --leader-elect command: - /manager - image: quay.io/kuadrant/authorino-operator:latest + image: quay.io/kuadrant/authorino-operator:v0.12.0-rc1 livenessProbe: httpGet: path: /healthz @@ -6225,7 +6225,7 @@ spec: - command: - authorino - webhooks - image: quay.io/kuadrant/authorino:latest + image: quay.io/kuadrant/authorino:v0.17.2 name: webhooks ports: - containerPort: 9443 diff --git a/config/authorino/kustomization.yaml b/config/authorino/kustomization.yaml index ef0ddde0..e974a42f 100644 --- a/config/authorino/kustomization.yaml +++ b/config/authorino/kustomization.yaml @@ -2,14 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/Kuadrant/authorino/install?ref=main +- github.com/Kuadrant/authorino/install?ref=v0.17.2 - webhook # Configures the conversion webhook images: - name: AUTHORINO_IMAGE newName: quay.io/kuadrant/authorino - newTag: latest + newTag: v0.17.2 patchesStrategicMerge: - webhook/patches/webhook_in_authconfigs.yaml diff --git a/config/deploy/manifests.yaml b/config/deploy/manifests.yaml index 5f616249..74079c13 100644 --- a/config/deploy/manifests.yaml +++ b/config/deploy/manifests.yaml @@ -10,7 +10,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.9.0 name: authconfigs.authorino.kuadrant.io spec: conversion: @@ -72,19 +72,14 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -94,13 +89,13 @@ spec: service hosts. properties: authorization: - description: |- - Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. items: - description: |- - Authorization policy to be enforced. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' oneOf: - properties: name: {} @@ -148,12 +143,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -174,12 +172,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -196,12 +199,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -240,12 +248,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -262,12 +275,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -276,14 +294,14 @@ spec: - endpoint type: object cache: - description: |- - Caching options for the policy evaluation results when enforcing this config. - Omit it to avoid caching policy evaluation results for this config. + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -292,12 +310,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -352,9 +373,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -366,14 +390,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -381,8 +407,7 @@ spec: - rules type: object kubernetes: - description: |- - Kubernetes authorization policy based on `SubjectAccessReview` + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -391,9 +416,10 @@ spec: type: string type: array resourceAttributes: - description: |- - Use ResourceAttributes for checking permissions on Kubernetes resources - If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -408,12 +434,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -430,12 +461,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -452,12 +488,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -474,12 +515,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -496,12 +542,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -518,20 +569,25 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object type: object user: - description: |- - User to test for. - If without "Groups", then is it interpreted as "What if User were not a member of any groups" + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" properties: value: description: Static value @@ -540,12 +596,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -558,27 +617,30 @@ spec: individual observability metrics type: boolean name: - description: |- - Name of the authorization policy. - It can be used to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. properties: in: default: authorization_header @@ -592,24 +654,32 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or application/json content-type. - In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. properties: key: description: The key of the secret to select from. Must @@ -629,23 +699,24 @@ spec: type: integer type: object inlineRego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this authorization policy. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -683,9 +754,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -697,14 +770,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -713,9 +788,8 @@ spec: type: object type: array callbacks: - description: |- - List of callback configs. - Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -724,10 +798,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -736,20 +810,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -762,12 +840,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -776,17 +858,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -800,20 +885,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -829,12 +917,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -843,9 +935,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -856,9 +949,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -901,10 +994,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -927,21 +1020,20 @@ spec: observability metrics type: boolean name: - description: |- - Name of the callback. - It can be used to refer to the resolved callback response in other configs. + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to perform this callback. + description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -959,9 +1051,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -973,14 +1067,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1007,12 +1103,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1038,12 +1137,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1060,12 +1162,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1084,12 +1189,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1115,12 +1223,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1137,32 +1248,37 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. items: type: string type: array identity: - description: |- - List of identity sources/authentication modes. - At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. items: - description: |- - The identity source/authentication mode config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' oneOf: - properties: credentials: {} @@ -1220,9 +1336,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1233,8 +1350,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1242,16 +1359,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1263,25 +1381,25 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object cache: - description: |- - Caching options for the identity resolved when applying this config. - Omit it to avoid caching identity objects for this config. + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1290,12 +1408,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1308,9 +1429,11 @@ spec: - key type: object credentials: - description: |- - Defines where client credentials are required to be passed in the request for this identity source/authentication mode. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1324,18 +1447,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: |- - Extends the resolved identity object with additional custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. items: properties: name: @@ -1353,12 +1481,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1368,9 +1499,11 @@ spec: kubernetes: properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. items: type: string type: array @@ -1384,9 +1517,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1397,8 +1531,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1406,16 +1540,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1427,21 +1562,21 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object name: - description: |- - The name of this identity source/authentication mode. - It usually identifies a source of identities or group of users/clients of the protected service. - It can be used to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1451,19 +1586,15 @@ spec: server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1473,10 +1604,14 @@ spec: oidc: properties: endpoint: - description: |- - Endpoint of the OIDC issuer. - Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1488,25 +1623,28 @@ spec: plain: properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this identity config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1544,9 +1682,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1558,14 +1698,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1574,13 +1716,12 @@ spec: type: object type: array metadata: - description: |- - List of metadata source configs. - Authorino fetches JSON content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. items: - description: |- - The metadata config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' oneOf: - properties: name: {} @@ -1602,14 +1743,14 @@ spec: - http properties: cache: - description: |- - Caching options for the external metadata fetched when applying this config. - Omit it to avoid caching metadata from this source. + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1618,12 +1759,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1640,10 +1784,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1652,20 +1796,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -1678,12 +1826,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1692,17 +1844,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -1716,20 +1871,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1745,12 +1903,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1759,9 +1921,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -1772,9 +1935,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1817,10 +1980,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1843,15 +2006,14 @@ spec: observability metrics type: boolean name: - description: |- - The name of the metadata source. - It can be used to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1862,17 +2024,14 @@ spec: registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1891,10 +2050,10 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to apply this metadata config. - If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1932,9 +2091,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1946,14 +2107,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1966,9 +2129,11 @@ spec: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1977,14 +2142,16 @@ spec: - matches type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. type: string type: object type: array @@ -1992,13 +2159,12 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: |- - List of response configs. - Authorino gathers data from the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. items: - description: |- - Dynamic response to return to the client. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' oneOf: - properties: name: {} @@ -2020,14 +2186,14 @@ spec: - plain properties: cache: - description: |- - Caching options for dynamic responses built when applying this config. - Omit it to avoid caching dynamic responses for this config. + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -2036,12 +2202,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -2070,12 +2239,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2091,9 +2264,8 @@ spec: observability metrics type: boolean name: - description: |- - Name of the custom response. - It can be used to refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -2107,26 +2279,29 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this custom response config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -2164,9 +2339,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -2178,30 +2355,32 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: |- - How Authorino wraps the response. - Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: |- - The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). - If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -2221,12 +2400,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2239,9 +2422,10 @@ spec: where = / = / = /