diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index 1d9168ec..d468fbff 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -2,6 +2,7 @@ package v1beta1 import ( "encoding/json" + "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/utils" "github.com/tidwall/gjson" diff --git a/api/v1beta2/auth_config_conversion_test.go b/api/v1beta1/auth_config_conversion_test.go similarity index 92% rename from api/v1beta2/auth_config_conversion_test.go rename to api/v1beta1/auth_config_conversion_test.go index 3bed4d10..6a62bdb8 100644 --- a/api/v1beta2/auth_config_conversion_test.go +++ b/api/v1beta1/auth_config_conversion_test.go @@ -1,4 +1,4 @@ -package v1beta2 +package v1beta1 import ( "encoding/json" @@ -7,45 +7,46 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/kuadrant/authorino/api/v1beta1" + "github.com/kuadrant/authorino/api/v1beta2" ) func TestConvertTo(t *testing.T) { - converted := &v1beta1.AuthConfig{} - authConfig().ConvertTo(converted) + converted := &v1beta2.AuthConfig{} + config := authConfig() + config.ConvertTo(converted) - sort.Slice(converted.Spec.Identity, func(i, j int) bool { - return converted.Spec.Identity[i].Name < converted.Spec.Identity[j].Name + sort.Slice(config.Spec.Identity, func(i, j int) bool { + return config.Spec.Identity[i].Name < config.Spec.Identity[j].Name }) - sort.Slice(converted.Spec.Metadata, func(i, j int) bool { - return converted.Spec.Metadata[i].Name < converted.Spec.Metadata[j].Name + sort.Slice(config.Spec.Metadata, func(i, j int) bool { + return config.Spec.Metadata[i].Name < config.Spec.Metadata[j].Name }) - sort.Slice(converted.Spec.Authorization, func(i, j int) bool { - return converted.Spec.Authorization[i].Name < converted.Spec.Authorization[j].Name + sort.Slice(config.Spec.Authorization, func(i, j int) bool { + return config.Spec.Authorization[i].Name < config.Spec.Authorization[j].Name }) - sort.Slice(converted.Spec.Response, func(i, j int) bool { - return converted.Spec.Response[i].Name < converted.Spec.Response[j].Name + sort.Slice(config.Spec.Response, func(i, j int) bool { + return config.Spec.Response[i].Name < config.Spec.Response[j].Name }) - for idx := range converted.Spec.Response { - if converted.Spec.Response[idx].Wristband != nil { - sort.Slice(converted.Spec.Response[idx].Wristband.CustomClaims, func(i, j int) bool { - return converted.Spec.Response[idx].Wristband.CustomClaims[i].Name < converted.Spec.Response[idx].Wristband.CustomClaims[j].Name + for idx := range config.Spec.Response { + if config.Spec.Response[idx].Wristband != nil { + sort.Slice(config.Spec.Response[idx].Wristband.CustomClaims, func(i, j int) bool { + return config.Spec.Response[idx].Wristband.CustomClaims[i].Name < config.Spec.Response[idx].Wristband.CustomClaims[j].Name }) } - if converted.Spec.Response[idx].JSON != nil { - sort.Slice(converted.Spec.Response[idx].JSON.Properties, func(i, j int) bool { - return converted.Spec.Response[idx].JSON.Properties[i].Name < converted.Spec.Response[idx].JSON.Properties[j].Name + if config.Spec.Response[idx].JSON != nil { + sort.Slice(config.Spec.Response[idx].JSON.Properties, func(i, j int) bool { + return config.Spec.Response[idx].JSON.Properties[i].Name < config.Spec.Response[idx].JSON.Properties[j].Name }) } } - sort.Slice(converted.Spec.Callbacks, func(i, j int) bool { - return converted.Spec.Callbacks[i].Name < converted.Spec.Callbacks[j].Name + sort.Slice(config.Spec.Callbacks, func(i, j int) bool { + return config.Spec.Callbacks[i].Name < config.Spec.Callbacks[j].Name }) - sort.Slice(converted.Spec.DenyWith.Unauthenticated.Headers, func(i, j int) bool { - return converted.Spec.DenyWith.Unauthenticated.Headers[i].Name < converted.Spec.DenyWith.Unauthenticated.Headers[j].Name + sort.Slice(config.Spec.DenyWith.Unauthenticated.Headers, func(i, j int) bool { + return config.Spec.DenyWith.Unauthenticated.Headers[i].Name < config.Spec.DenyWith.Unauthenticated.Headers[j].Name }) - sort.Slice(converted.Spec.DenyWith.Unauthorized.Headers, func(i, j int) bool { - return converted.Spec.DenyWith.Unauthorized.Headers[i].Name < converted.Spec.DenyWith.Unauthorized.Headers[j].Name + sort.Slice(config.Spec.DenyWith.Unauthorized.Headers, func(i, j int) bool { + return config.Spec.DenyWith.Unauthorized.Headers[i].Name < config.Spec.DenyWith.Unauthorized.Headers[j].Name }) expected := hubAuthConfig() @@ -63,8 +64,8 @@ func TestConvertFrom(t *testing.T) { } } -func authConfig() *AuthConfig { - authConfig := &AuthConfig{} +func hubAuthConfig() *v1beta2.AuthConfig { + authConfig := &v1beta2.AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { @@ -477,8 +478,8 @@ func authConfig() *AuthConfig { return authConfig } -func hubAuthConfig() *v1beta1.AuthConfig { - authConfig := &v1beta1.AuthConfig{} +func authConfig() *AuthConfig { + authConfig := &AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 288a9a2b..800f877a 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -54,19 +55,14 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -76,13 +72,13 @@ spec: service hosts. properties: authorization: - description: |- - Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. items: - description: |- - Authorization policy to be enforced. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' properties: authzed: description: Authzed authorization @@ -105,12 +101,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -131,12 +130,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -153,12 +157,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -197,12 +206,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -219,12 +233,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -233,14 +252,14 @@ spec: - endpoint type: object cache: - description: |- - Caching options for the policy evaluation results when enforcing this config. - Omit it to avoid caching policy evaluation results for this config. + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -249,12 +268,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -289,9 +311,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -303,14 +328,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -318,8 +345,7 @@ spec: - rules type: object kubernetes: - description: |- - Kubernetes authorization policy based on `SubjectAccessReview` + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -328,9 +354,10 @@ spec: type: string type: array resourceAttributes: - description: |- - Use ResourceAttributes for checking permissions on Kubernetes resources - If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -345,12 +372,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -367,12 +399,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -389,12 +426,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -411,12 +453,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -433,12 +480,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -455,20 +507,25 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object type: object user: - description: |- - User to test for. - If without "Groups", then is it interpreted as "What if User were not a member of any groups" + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" properties: value: description: Static value @@ -477,12 +534,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -495,27 +555,30 @@ spec: individual observability metrics type: boolean name: - description: |- - Name of the authorization policy. - It can be used to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. properties: in: default: authorization_header @@ -529,24 +592,32 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or application/json content-type. - In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. properties: key: description: The key of the secret to select from. Must @@ -566,23 +637,24 @@ spec: type: integer type: object inlineRego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this authorization policy. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -600,9 +672,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -614,14 +688,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -630,9 +706,8 @@ spec: type: object type: array callbacks: - description: |- - List of callback configs. - Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -641,10 +716,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -653,20 +728,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -679,12 +758,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -693,17 +776,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -717,20 +803,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -746,12 +835,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -760,9 +853,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -773,9 +867,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -818,10 +912,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -844,21 +938,20 @@ spec: observability metrics type: boolean name: - description: |- - Name of the callback. - It can be used to refer to the resolved callback response in other configs. + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to perform this callback. + description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -876,9 +969,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -890,14 +985,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -924,12 +1021,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -955,12 +1055,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -977,12 +1080,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1001,12 +1107,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1032,12 +1141,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1054,32 +1166,37 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. items: type: string type: array identity: - description: |- - List of identity sources/authentication modes. - At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. items: - description: |- - The identity source/authentication mode config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' properties: anonymous: type: object @@ -1087,9 +1204,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1100,8 +1218,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1109,16 +1227,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1130,25 +1249,25 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object cache: - description: |- - Caching options for the identity resolved when applying this config. - Omit it to avoid caching identity objects for this config. + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1157,12 +1276,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1175,9 +1297,11 @@ spec: - key type: object credentials: - description: |- - Defines where client credentials are required to be passed in the request for this identity source/authentication mode. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1191,18 +1315,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: |- - Extends the resolved identity object with additional custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. items: properties: name: @@ -1220,12 +1349,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1235,9 +1367,11 @@ spec: kubernetes: properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. items: type: string type: array @@ -1251,9 +1385,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1264,8 +1399,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1273,16 +1408,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1294,21 +1430,21 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object name: - description: |- - The name of this identity source/authentication mode. - It usually identifies a source of identities or group of users/clients of the protected service. - It can be used to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1318,19 +1454,15 @@ spec: server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1340,10 +1472,14 @@ spec: oidc: properties: endpoint: - description: |- - Endpoint of the OIDC issuer. - Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1355,25 +1491,28 @@ spec: plain: properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this identity config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -1391,9 +1530,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1405,14 +1546,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1421,23 +1564,22 @@ spec: type: object type: array metadata: - description: |- - List of metadata source configs. - Authorino fetches JSON content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. items: - description: |- - The metadata config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' properties: cache: - description: |- - Caching options for the external metadata fetched when applying this config. - Omit it to avoid caching metadata from this source. + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1446,12 +1588,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1468,10 +1613,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1480,20 +1625,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -1506,12 +1655,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1520,17 +1673,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -1544,20 +1700,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1573,12 +1732,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1587,9 +1750,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -1600,9 +1764,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1645,10 +1809,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1671,15 +1835,14 @@ spec: observability metrics type: boolean name: - description: |- - The name of the metadata source. - It can be used to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1690,17 +1853,14 @@ spec: registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1719,10 +1879,10 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to apply this metadata config. - If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. items: properties: all: @@ -1740,9 +1900,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1754,14 +1916,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1774,9 +1938,11 @@ spec: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1785,14 +1951,16 @@ spec: - matches type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. type: string type: object type: array @@ -1800,23 +1968,22 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: |- - List of response configs. - Authorino gathers data from the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. items: - description: |- - Dynamic response to return to the client. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' properties: cache: - description: |- - Caching options for dynamic responses built when applying this config. - Omit it to avoid caching dynamic responses for this config. + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1825,12 +1992,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1859,12 +2029,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1880,9 +2054,8 @@ spec: observability metrics type: boolean name: - description: |- - Name of the custom response. - It can be used to refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -1896,26 +2069,29 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this custom response config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1933,9 +2109,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1947,30 +2125,32 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: |- - How Authorino wraps the response. - Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: |- - The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). - If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -1990,12 +2170,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2008,9 +2192,10 @@ spec: where = / = / = / = / = / = /