From bbcfe7341338d922b33bdb9e5d91d7acd106052b Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 09:49:26 -0400 Subject: [PATCH 1/6] Part 1: Convert to v1beta2 Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 579 +++++++++++++++++++++++++- api/v1beta2/auth_config_conversion.go | 7 + 2 files changed, 584 insertions(+), 2 deletions(-) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index 6b810a0f..d97ca602 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -1,4 +1,579 @@ package v1beta1 -// Hub marks this version as a conversion hub. -func (a *AuthConfig) Hub() {} +import ( + "encoding/json" + "github.com/kuadrant/authorino/api/v1beta2" + "github.com/kuadrant/authorino/pkg/utils" + k8sruntime "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/conversion" +) + +func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta2.AuthConfig) + + logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src) + logger.V(1).Info("starting converting resource") + + // metadata + dst.ObjectMeta = src.ObjectMeta + + // hosts + dst.Spec.Hosts = src.Spec.Hosts + + // named patterns + if src.Spec.Patterns != nil { + dst.Spec.NamedPatterns = make(map[string]v1beta2.PatternExpressions, len(src.Spec.Patterns)) + for name, patterns := range src.Spec.Patterns { + dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionTo) + } + } + + // conditions + dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo) + + // authentication + if src.Spec.Identity != nil { + dst.Spec.Authentication = make(map[string]v1beta2.AuthenticationSpec, len(src.Spec.Identity)) + for _, identity := range src.Spec.Identity { + name, authentication := convertAuthenticationTo(identity) + dst.Spec.Authentication[name] = authentication + } + } + + // metadata + if src.Spec.Metadata != nil { + dst.Spec.Metadata = make(map[string]v1beta2.MetadataSpec, len(src.Spec.Metadata)) + for _, metadataSrc := range src.Spec.Metadata { + name, metadata := convertMetadataTo(metadataSrc) + dst.Spec.Metadata[name] = metadata + } + } + + // authorization + if src.Spec.Authorization != nil { + dst.Spec.Authorization = make(map[string]v1beta2.AuthorizationSpec, len(src.Spec.Authorization)) + for _, authorizationSrc := range src.Spec.Authorization { + name, authorization := convertAuthorizationTo(authorizationSrc) + dst.Spec.Authorization[name] = authorization + } + } + + // response + denyWith := src.Spec.DenyWith + + if denyWith != nil || len(src.Spec.Response) > 0 { + dst.Spec.Response = &v1beta2.ResponseSpec{} + } + + if denyWith != nil && denyWith.Unauthenticated != nil { + dst.Spec.Response.Unauthenticated = convertDenyWithSpecTo(denyWith.Unauthenticated) + } + + if denyWith != nil && denyWith.Unauthorized != nil { + dst.Spec.Response.Unauthorized = convertDenyWithSpecTo(denyWith.Unauthorized) + } + + for _, responseSrc := range src.Spec.Response { + if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" { + continue + } + if dst.Spec.Response.Success.Headers == nil { + dst.Spec.Response.Success.Headers = make(map[string]v1beta2.HeaderSuccessResponseSpec) + } + name, response := convertSuccessResponseTo(responseSrc) + dst.Spec.Response.Success.Headers[name] = v1beta2.HeaderSuccessResponseSpec{ + SuccessResponseSpec: response, + } + } + + for _, responseSrc := range src.Spec.Response { + if responseSrc.Wrapper != "envoyDynamicMetadata" { + continue + } + if dst.Spec.Response.Success.DynamicMetadata == nil { + dst.Spec.Response.Success.DynamicMetadata = make(map[string]v1beta2.SuccessResponseSpec) + } + name, response := convertSuccessResponseTo(responseSrc) + dst.Spec.Response.Success.DynamicMetadata[name] = response + } + + // callbacks + if src.Spec.Callbacks != nil { + dst.Spec.Callbacks = make(map[string]v1beta2.CallbackSpec, len(src.Spec.Callbacks)) + for _, callbackSrc := range src.Spec.Callbacks { + name, callback := convertCallbackTo(callbackSrc) + dst.Spec.Callbacks[name] = callback + } + } + + // status + dst.Status = convertStatusTo(src.Status) + + logger.V(1).Info("finished converting resource", "dst", dst) + + return nil +} + +func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta2.AuthConfig) + + logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src) + logger.V(1).Info("starting converting resource") + + // metadata + dst.ObjectMeta = src.ObjectMeta + + // hosts + dst.Spec.Hosts = src.Spec.Hosts + + return nil +} + +func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpression { + return v1beta2.PatternExpression{ + Selector: src.Selector, + Operator: v1beta2.PatternExpressionOperator(src.Operator), + Value: src.Value, + } +} + +func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef { + pattern := v1beta2.PatternExpressionOrRef{ + PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression), + PatternRef: v1beta2.PatternRef{ + Name: src.JSONPatternRef.JSONPatternName, + }, + } + if len(src.All) > 0 { + pattern.All = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.All)) + for i, p := range src.All { + pattern.All[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)} + } + } + if len(src.Any) > 0 { + pattern.Any = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.Any)) + for i, p := range src.Any { + pattern.Any[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)} + } + } + return pattern +} + +func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) { + authentication := v1beta2.AuthenticationSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + Credentials: convertCredentialsTo(src.Credentials), + } + + var overrides []JsonProperty + for _, extendedProperty := range src.ExtendedProperties { + if !extendedProperty.Overwrite { + continue + } + overrides = append(overrides, extendedProperty.JsonProperty) + } + if len(overrides) > 0 { + authentication.Overrides = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(overrides)) + } + + var defaults []JsonProperty + for _, extendedProperty := range src.ExtendedProperties { + if extendedProperty.Overwrite { + continue + } + defaults = append(defaults, extendedProperty.JsonProperty) + } + if len(defaults) > 0 { + authentication.Defaults = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(defaults)) + } + + switch src.GetType() { + case IdentityApiKey: + selector := *src.APIKey.Selector + authentication.ApiKey = &v1beta2.ApiKeyAuthenticationSpec{ + Selector: &selector, + AllNamespaces: src.APIKey.AllNamespaces, + } + case IdentityOidc: + authentication.Jwt = &v1beta2.JwtAuthenticationSpec{ + IssuerUrl: src.Oidc.Endpoint, + TTL: src.Oidc.TTL, + } + case IdentityOAuth2: + credentials := *src.OAuth2.Credentials + authentication.OAuth2TokenIntrospection = &v1beta2.OAuth2TokenIntrospectionSpec{ + Url: src.OAuth2.TokenIntrospectionUrl, + TokenTypeHint: src.OAuth2.TokenTypeHint, + Credentials: &credentials, + } + case IdentityKubernetesAuth: + authentication.KubernetesTokenReview = &v1beta2.KubernetesTokenReviewSpec{ + Audiences: src.KubernetesAuth.Audiences, + } + case IdentityMTLS: + selector := *src.MTLS.Selector + authentication.X509ClientCertificate = &v1beta2.X509ClientCertificateAuthenticationSpec{ + Selector: &selector, + AllNamespaces: src.MTLS.AllNamespaces, + } + case IdentityPlain: + authentication.Plain = &v1beta2.PlainIdentitySpec{ + Selector: src.Plain.AuthJSON, + } + case IdentityAnonymous: + authentication.AnonymousAccess = &v1beta2.AnonymousAccessSpec{} + } + + return src.Name, authentication +} + +func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching { + if src == nil { + return nil + } + return &v1beta2.EvaluatorCaching{ + Key: convertValueOrSelectorTo(src.Key), + TTL: src.TTL, + } +} + +func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector { + value := k8sruntime.RawExtension{} + if src.ValueFrom.AuthJSON == "" { + jsonString, err := json.Marshal(src.Value) + if err == nil { + value.Raw = jsonString + } + } + return v1beta2.ValueOrSelector{ + Value: value, + Selector: src.ValueFrom.AuthJSON, + } +} + +func convertCredentialsTo(src Credentials) v1beta2.Credentials { + credentials := v1beta2.Credentials{} + switch src.In { + case "authorization_header": + credentials.AuthorizationHeader = &v1beta2.Prefixed{ + Prefix: src.KeySelector, + } + case "custom_header": + credentials.CustomHeader = &v1beta2.CustomHeader{ + Named: v1beta2.Named{Name: src.KeySelector}, + } + case "query": + credentials.QueryString = &v1beta2.Named{ + Name: src.KeySelector, + } + case "cookie": + credentials.Cookie = &v1beta2.Named{ + Name: src.KeySelector, + } + } + return credentials +} + +func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors { + if src == nil { + return nil + } + namedValuesOrSelectors := v1beta2.NamedValuesOrSelectors{} + for _, jsonProperty := range src { + value := k8sruntime.RawExtension{} + if jsonProperty.ValueFrom.AuthJSON == "" { + value.Raw = jsonProperty.Value.Raw + } + namedValuesOrSelectors[jsonProperty.Name] = v1beta2.ValueOrSelector{ + Value: value, + Selector: jsonProperty.ValueFrom.AuthJSON, + } + } + return namedValuesOrSelectors +} + +func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { + metadata := v1beta2.MetadataSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + } + + switch src.GetType() { + case MetadataGenericHTTP: + metadata.Http = convertHttpEndpointSpecTo(src.GenericHTTP) + case MetadataUserinfo: + metadata.UserInfo = &v1beta2.UserInfoMetadataSpec{ + IdentitySource: src.UserInfo.IdentitySource, + } + case MetadataUma: + credentials := *src.UMA.Credentials + metadata.Uma = &v1beta2.UmaMetadataSpec{ + Endpoint: src.UMA.Endpoint, + Credentials: &credentials, + } + } + + return src.Name, metadata +} + +func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec { + if src == nil { + return nil + } + return &v1beta2.HttpEndpointSpec{ + Url: src.Endpoint, + Method: convertMethodTo(src.Method), + Body: convertPtrValueOrSelectorTo(src.Body), + Parameters: convertNamedValuesOrSelectorsTo(src.Parameters), + ContentType: convertContentTypeTo(src.ContentType), + Headers: convertNamedValuesOrSelectorsTo(src.Headers), + SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), + OAuth2: convertOAuth2ClientAuthenticationTo(src.OAuth2), + Credentials: convertCredentialsTo(src.Credentials), + } +} + +func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { + if src == nil { + return nil + } + method := v1beta2.HttpMethod(*src) + return &method +} + +func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector { + if src == nil { + return nil + } + v := convertValueOrSelectorTo(*src) + return &v +} + +func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType { + return v1beta2.HttpContentType(src) +} + +func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference { + if src == nil { + return nil + } + return &v1beta2.SecretKeyReference{ + Name: src.Name, + Key: src.Key, + } +} + +func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication { + if src == nil { + return nil + } + o := &v1beta2.OAuth2ClientAuthentication{ + TokenUrl: src.TokenUrl, + ClientId: src.ClientId, + ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret), + Scopes: src.Scopes, + ExtraParams: src.ExtraParams, + } + if src.Cache != nil { + cache := *src.Cache + o.Cache = &cache + } + return o +} + +func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) { + authorization := v1beta2.AuthorizationSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + } + + switch src.GetType() { + case AuthorizationJSONPatternMatching: + authorization.PatternMatching = &v1beta2.PatternMatchingAuthorizationSpec{ + Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefTo), + } + case AuthorizationOPA: + authorization.Opa = &v1beta2.OpaAuthorizationSpec{ + Rego: src.OPA.InlineRego, + External: convertOpaExternalRegistryTo(src.OPA.ExternalRegistry), + AllValues: src.OPA.AllValues, + } + case AuthorizationKubernetesAuthz: + authorization.KubernetesSubjectAccessReview = &v1beta2.KubernetesSubjectAccessReviewAuthorizationSpec{ + User: convertPtrValueOrSelectorTo(&src.KubernetesAuthz.User), + Groups: src.KubernetesAuthz.Groups, + ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesAuthz.ResourceAttributes), + } + case AuthorizationAuthzed: + authorization.SpiceDB = &v1beta2.SpiceDBAuthorizationSpec{ + Endpoint: src.Authzed.Endpoint, + Insecure: src.Authzed.Insecure, + SharedSecret: convertSecretKeyReferenceTo(src.Authzed.SharedSecret), + Subject: spiceDBObjectTo(src.Authzed.Subject), + Resource: spiceDBObjectTo(src.Authzed.Resource), + Permission: convertValueOrSelectorTo(src.Authzed.Permission), + } + } + + return src.Name, authorization +} + +func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy { + if src.Endpoint == "" { + return nil + } + return &v1beta2.ExternalOpaPolicy{ + HttpEndpointSpec: &v1beta2.HttpEndpointSpec{ + Url: src.Endpoint, + SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), + Credentials: convertCredentialsTo(src.Credentials), + }, + TTL: src.TTL, + } +} + +func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec { + if src == nil { + return nil + } + return &v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec{ + Namespace: convertValueOrSelectorTo(src.Namespace), + Group: convertValueOrSelectorTo(src.Group), + Resource: convertValueOrSelectorTo(src.Resource), + Name: convertValueOrSelectorTo(src.Name), + SubResource: convertValueOrSelectorTo(src.SubResource), + Verb: convertValueOrSelectorTo(src.Verb), + } +} + +func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { + if src == nil { + return nil + } + return &v1beta2.SpiceDBObject{ + Kind: convertValueOrSelectorTo(src.Kind), + Name: convertValueOrSelectorTo(src.Name), + } +} + +func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { + if src == nil { + return nil + } + return &v1beta2.DenyWithSpec{ + Code: v1beta2.DenyWithCode(src.Code), + Headers: convertNamedValuesOrSelectorsTo(src.Headers), + Message: convertPtrValueOrSelectorTo(src.Message), + Body: convertPtrValueOrSelectorTo(src.Body), + } +} + +func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) { + response := v1beta2.SuccessResponseSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + Key: src.WrapperKey, + } + + switch src.GetType() { + case ResponsePlain: + selector := v1beta2.PlainAuthResponseSpec(convertValueOrSelectorTo(StaticOrDynamicValue(*src.Plain))) + response.Plain = &selector + case ResponseDynamicJSON: + response.Json = &v1beta2.JsonAuthResponseSpec{ + Properties: convertNamedValuesOrSelectorsTo(src.JSON.Properties), + } + case ResponseWristband: + response.Wristband = &v1beta2.WristbandAuthResponseSpec{ + Issuer: src.Wristband.Issuer, + CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims), + } + if src.Wristband.TokenDuration != nil { + duration := *src.Wristband.TokenDuration + response.Wristband.TokenDuration = &duration + } + for _, keySrc := range src.Wristband.SigningKeyRefs { + if keySrc == nil { + continue + } + key := &v1beta2.WristbandSigningKeyRef{ + Name: keySrc.Name, + Algorithm: v1beta2.WristbandSigningKeyAlgorithm(keySrc.Algorithm), + } + response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key) + } + } + + return src.Name, response +} + +func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { + callback := v1beta2.CallbackSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + }, + } + + switch src.GetType() { + case CallbackHTTP: + callback.Http = convertHttpEndpointSpecTo(src.HTTP) + } + + return src.Name, callback +} + +func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { + return v1beta2.AuthConfigStatus{ + Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition { + condition := v1beta2.AuthConfigStatusCondition{ + Type: v1beta2.StatusConditionType(conditionSrc.Type), + Status: conditionSrc.Status, + LastTransitionTime: conditionSrc.LastTransitionTime, + Reason: conditionSrc.Reason, + Message: conditionSrc.Message, + } + if conditionSrc.LastUpdatedTime != nil { + time := *conditionSrc.LastUpdatedTime + condition.LastUpdatedTime = &time + } + return condition + }), + Summary: convertStatusSummaryTo(src.Summary), + } +} + +func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { + hostsReady := make([]string, len(src.HostsReady)) + copy(hostsReady, src.HostsReady) + + return v1beta2.AuthConfigStatusSummary{ + Ready: src.Ready, + HostsReady: hostsReady, + NumHostsReady: src.NumHostsReady, + NumIdentitySources: src.NumIdentitySources, + NumMetadataSources: src.NumMetadataSources, + NumAuthorizationPolicies: src.NumAuthorizationPolicies, + NumResponseItems: src.NumResponseItems, + FestivalWristbandEnabled: src.FestivalWristbandEnabled, + } +} diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go index b46b1bad..f07163e8 100644 --- a/api/v1beta2/auth_config_conversion.go +++ b/api/v1beta2/auth_config_conversion.go @@ -1,5 +1,10 @@ package v1beta2 +// Hub marks this version as a conversion hub. +func (a *AuthConfig) Hub() {} + +/** + import ( "encoding/json" @@ -1078,3 +1083,5 @@ func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary { FestivalWristbandEnabled: src.FestivalWristbandEnabled, } } + +*/ From 3852e37d5da01fd358259ba23d86574c46109ffa Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 10:24:52 -0400 Subject: [PATCH 2/6] Part 2: Convert from v1beta2 Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 499 ++++++++++++ api/v1beta2/auth_config_conversion.go | 1083 ------------------------- 2 files changed, 499 insertions(+), 1083 deletions(-) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index d97ca602..78a2e5dd 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -4,6 +4,7 @@ import ( "encoding/json" "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/utils" + "github.com/tidwall/gjson" k8sruntime "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/conversion" @@ -127,6 +128,72 @@ func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { // hosts dst.Spec.Hosts = src.Spec.Hosts + // named patterns + if src.Spec.NamedPatterns != nil { + dst.Spec.Patterns = make(map[string]JSONPatternExpressions, len(src.Spec.NamedPatterns)) + for name, patterns := range src.Spec.NamedPatterns { + dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionFrom) + } + } + + // conditions + dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom) + + // identity + for name, authentication := range src.Spec.Authentication { + identity := convertAuthenticationFrom(name, authentication) + dst.Spec.Identity = append(dst.Spec.Identity, identity) + } + + // metadata + for name, metadataSrc := range src.Spec.Metadata { + metadata := convertMetadataFrom(name, metadataSrc) + dst.Spec.Metadata = append(dst.Spec.Metadata, metadata) + } + + // authorization + for name, authorizationSrc := range src.Spec.Authorization { + authorization := convertAuthorizationFrom(name, authorizationSrc) + dst.Spec.Authorization = append(dst.Spec.Authorization, authorization) + } + + // response + if src.Spec.Response != nil { + for name, responseSrc := range src.Spec.Response.Success.Headers { + response := convertSuccessResponseFrom(name, responseSrc.SuccessResponseSpec, "httpHeader") + dst.Spec.Response = append(dst.Spec.Response, response) + } + + for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata { + response := convertSuccessResponseFrom(name, responseSrc, "envoyDynamicMetadata") + dst.Spec.Response = append(dst.Spec.Response, response) + } + + // denyWith + if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil { + dst.Spec.DenyWith = &DenyWith{} + } + + if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil { + dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecFrom(denyWithSrc) + } + + if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil { + dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecFrom(denyWithSrc) + } + } + + // callbacks + for name, callbackSrc := range src.Spec.Callbacks { + callback := convertCallbackFrom(name, callbackSrc) + dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback) + } + + // status + dst.Status = convertStatusFrom(src.Status) + + logger.V(1).Info("finished converting resource", "dst", dst) + return nil } @@ -138,6 +205,14 @@ func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpres } } +func convertPatternExpressionFrom(src v1beta2.PatternExpression) JSONPatternExpression { + return JSONPatternExpression{ + Selector: src.Selector, + Operator: JSONPatternOperator(src.Operator), + Value: src.Value, + } +} + func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef { pattern := v1beta2.PatternExpressionOrRef{ PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression), @@ -160,6 +235,28 @@ func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionO return pattern } +func convertPatternExpressionOrRefFrom(src v1beta2.PatternExpressionOrRef) JSONPattern { + pattern := JSONPattern{ + JSONPatternExpression: convertPatternExpressionFrom(src.PatternExpression), + JSONPatternRef: JSONPatternRef{ + JSONPatternName: src.PatternRef.Name, + }, + } + if len(src.All) > 0 { + pattern.All = make([]UnstructuredJSONPattern, len(src.All)) + for i, p := range src.All { + pattern.All[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)} + } + } + if len(src.Any) > 0 { + pattern.Any = make([]UnstructuredJSONPattern, len(src.Any)) + for i, p := range src.Any { + pattern.Any[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)} + } + } + return pattern +} + func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) { authentication := v1beta2.AuthenticationSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -233,6 +330,71 @@ func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) return src.Name, authentication } +func convertAuthenticationFrom(name string, src v1beta2.AuthenticationSpec) *Identity { + extendedProperties := utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Overrides)), func(jsonProperty JsonProperty) ExtendedProperty { + return ExtendedProperty{ + JsonProperty: jsonProperty, + Overwrite: true, + } + }) + extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Defaults)), func(jsonProperty JsonProperty) ExtendedProperty { + return ExtendedProperty{ + JsonProperty: jsonProperty, + Overwrite: false, + } + })...) + + identity := &Identity{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + Credentials: convertCredentialsFrom(src.Credentials), + ExtendedProperties: extendedProperties, + } + + switch src.GetMethod() { + case v1beta2.ApiKeyAuthentication: + selector := *src.ApiKey.Selector + identity.APIKey = &Identity_APIKey{ + Selector: &selector, + AllNamespaces: src.ApiKey.AllNamespaces, + } + case v1beta2.JwtAuthentication: + identity.Oidc = &Identity_OidcConfig{ + Endpoint: src.Jwt.IssuerUrl, + TTL: src.Jwt.TTL, + } + case v1beta2.OAuth2TokenIntrospectionAuthentication: + credentials := *src.OAuth2TokenIntrospection.Credentials + identity.OAuth2 = &Identity_OAuth2Config{ + TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url, + TokenTypeHint: src.OAuth2TokenIntrospection.TokenTypeHint, + Credentials: &credentials, + } + case v1beta2.KubernetesTokenReviewAuthentication: + identity.KubernetesAuth = &Identity_KubernetesAuth{ + Audiences: src.KubernetesTokenReview.Audiences, + } + case v1beta2.X509ClientCertificateAuthentication: + selector := *src.X509ClientCertificate.Selector + identity.MTLS = &Identity_MTLS{ + Selector: &selector, + AllNamespaces: src.X509ClientCertificate.AllNamespaces, + } + case v1beta2.PlainIdentityAuthentication: + selector := Identity_Plain(ValueFrom{ + AuthJSON: src.Plain.Selector, + }) + identity.Plain = &selector + case v1beta2.AnonymousAccessAuthentication: + identity.Anonymous = &Identity_Anonymous{} + } + + return identity +} + func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching { if src == nil { return nil @@ -243,6 +405,16 @@ func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching } } +func convertEvaluatorCachingFrom(src *v1beta2.EvaluatorCaching) *EvaluatorCaching { + if src == nil { + return nil + } + return &EvaluatorCaching{ + Key: convertValueOrSelectorFrom(src.Key), + TTL: src.TTL, + } +} + func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector { value := k8sruntime.RawExtension{} if src.ValueFrom.AuthJSON == "" { @@ -257,6 +429,13 @@ func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector } } +func convertValueOrSelectorFrom(src v1beta2.ValueOrSelector) StaticOrDynamicValue { + return StaticOrDynamicValue{ + Value: gjson.ParseBytes(src.Value.Raw).String(), + ValueFrom: convertSelectorFrom(src), + } +} + func convertCredentialsTo(src Credentials) v1beta2.Credentials { credentials := v1beta2.Credentials{} switch src.In { @@ -280,6 +459,28 @@ func convertCredentialsTo(src Credentials) v1beta2.Credentials { return credentials } +func convertCredentialsFrom(src v1beta2.Credentials) Credentials { + var in, key string + switch src.GetType() { + case v1beta2.AuthorizationHeaderCredentials: + in = "authorization_header" + key = src.AuthorizationHeader.Prefix + case v1beta2.CustomHeaderCredentials: + in = "custom_header" + key = src.CustomHeader.Name + case v1beta2.QueryStringCredentials: + in = "query" + key = src.QueryString.Name + case v1beta2.CookieCredentials: + in = "cookie" + key = src.Cookie.Name + } + return Credentials{ + In: Credentials_In(in), + KeySelector: key, + } +} + func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors { if src == nil { return nil @@ -298,6 +499,27 @@ func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSe return namedValuesOrSelectors } +func convertNamedValuesOrSelectorsFrom(src v1beta2.NamedValuesOrSelectors) []JsonProperty { + if src == nil { + return nil + } + jsonProperties := make([]JsonProperty, 0, len(src)) + for name, valueOrSelector := range src { + jsonProperties = append(jsonProperties, JsonProperty{ + Name: name, + Value: valueOrSelector.Value, + ValueFrom: convertSelectorFrom(valueOrSelector), + }) + } + return jsonProperties +} + +func convertSelectorFrom(src v1beta2.ValueOrSelector) ValueFrom { + return ValueFrom{ + AuthJSON: src.Selector, + } +} + func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { metadata := v1beta2.MetadataSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -326,6 +548,33 @@ func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { return src.Name, metadata } +func convertMetadataFrom(name string, src v1beta2.MetadataSpec) *Metadata { + metadata := &Metadata{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + } + + switch src.GetMethod() { + case v1beta2.HttpMetadata: + metadata.GenericHTTP = convertHttpEndpointSpecFrom(src.Http) + case v1beta2.UserInfoMetadata: + metadata.UserInfo = &Metadata_UserInfo{ + IdentitySource: src.UserInfo.IdentitySource, + } + case v1beta2.UmaResourceMetadata: + credentials := *src.Uma.Credentials + metadata.UMA = &Metadata_UMA{ + Endpoint: src.Uma.Endpoint, + Credentials: &credentials, + } + } + + return metadata +} + func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec { if src == nil { return nil @@ -343,6 +592,23 @@ func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointS } } +func convertHttpEndpointSpecFrom(src *v1beta2.HttpEndpointSpec) *Metadata_GenericHTTP { + if src == nil { + return nil + } + return &Metadata_GenericHTTP{ + Endpoint: src.Url, + Method: convertMethodFrom(src.Method), + Body: convertPtrValueOrSelectorFrom(src.Body), + Parameters: convertNamedValuesOrSelectorsFrom(src.Parameters), + ContentType: convertContentTypeFrom(src.ContentType), + Headers: convertNamedValuesOrSelectorsFrom(src.Headers), + SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), + OAuth2: convertOAuth2ClientAuthenticationFrom(src.OAuth2), + Credentials: convertCredentialsFrom(src.Credentials), + } +} + func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { if src == nil { return nil @@ -351,6 +617,14 @@ func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { return &method } +func convertMethodFrom(src *v1beta2.HttpMethod) *GenericHTTP_Method { + if src == nil { + return nil + } + method := GenericHTTP_Method(*src) + return &method +} + func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector { if src == nil { return nil @@ -359,10 +633,22 @@ func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSele return &v } +func convertPtrValueOrSelectorFrom(src *v1beta2.ValueOrSelector) *StaticOrDynamicValue { + if src == nil { + return nil + } + v := convertValueOrSelectorFrom(*src) + return &v +} + func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType { return v1beta2.HttpContentType(src) } +func convertContentTypeFrom(src v1beta2.HttpContentType) Metadata_GenericHTTP_ContentType { + return Metadata_GenericHTTP_ContentType(src) +} + func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference { if src == nil { return nil @@ -373,6 +659,16 @@ func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyRefe } } +func convertSecretKeyReferenceFrom(src *v1beta2.SecretKeyReference) *SecretKeyReference { + if src == nil { + return nil + } + return &SecretKeyReference{ + Name: src.Name, + Key: src.Key, + } +} + func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication { if src == nil { return nil @@ -391,6 +687,24 @@ func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1bet return o } +func convertOAuth2ClientAuthenticationFrom(src *v1beta2.OAuth2ClientAuthentication) *OAuth2ClientAuthentication { + if src == nil { + return nil + } + o := &OAuth2ClientAuthentication{ + TokenUrl: src.TokenUrl, + ClientId: src.ClientId, + ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret), + Scopes: src.Scopes, + ExtraParams: src.ExtraParams, + } + if src.Cache != nil { + cache := *src.Cache + o.Cache = &cache + } + return o +} + func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) { authorization := v1beta2.AuthorizationSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -432,6 +746,48 @@ func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSp return src.Name, authorization } +func convertAuthorizationFrom(name string, src v1beta2.AuthorizationSpec) *Authorization { + authorization := &Authorization{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + } + + switch src.GetMethod() { + case v1beta2.PatternMatchingAuthorization: + authorization.JSON = &Authorization_JSONPatternMatching{ + Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefFrom), + } + case v1beta2.OpaAuthorization: + authorization.OPA = &Authorization_OPA{ + InlineRego: src.Opa.Rego, + ExternalRegistry: convertOpaExternalRegistryFrom(src.Opa.External), + AllValues: src.Opa.AllValues, + } + case v1beta2.KubernetesSubjectAccessReviewAuthorization: + authorization.KubernetesAuthz = &Authorization_KubernetesAuthz{ + Groups: src.KubernetesSubjectAccessReview.Groups, + ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesSubjectAccessReview.ResourceAttributes), + } + if src.KubernetesSubjectAccessReview.User != nil { + authorization.KubernetesAuthz.User = convertValueOrSelectorFrom(*src.KubernetesSubjectAccessReview.User) + } + case v1beta2.SpiceDBAuthorization: + authorization.Authzed = &Authorization_Authzed{ + Endpoint: src.SpiceDB.Endpoint, + Insecure: src.SpiceDB.Insecure, + SharedSecret: convertSecretKeyReferenceFrom(src.SpiceDB.SharedSecret), + Subject: spiceDBObjectFrom(src.SpiceDB.Subject), + Resource: spiceDBObjectFrom(src.SpiceDB.Resource), + Permission: convertValueOrSelectorFrom(src.SpiceDB.Permission), + } + } + + return authorization +} + func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy { if src.Endpoint == "" { return nil @@ -446,6 +802,18 @@ func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPoli } } +func convertOpaExternalRegistryFrom(src *v1beta2.ExternalOpaPolicy) ExternalRegistry { + if src == nil { + return ExternalRegistry{} + } + return ExternalRegistry{ + Endpoint: src.Url, + SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), + Credentials: convertCredentialsFrom(src.Credentials), + TTL: src.TTL, + } +} + func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec { if src == nil { return nil @@ -460,6 +828,20 @@ func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization } } +func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec) *Authorization_KubernetesAuthz_ResourceAttributes { + if src == nil { + return nil + } + return &Authorization_KubernetesAuthz_ResourceAttributes{ + Namespace: convertValueOrSelectorFrom(src.Namespace), + Group: convertValueOrSelectorFrom(src.Group), + Resource: convertValueOrSelectorFrom(src.Resource), + Name: convertValueOrSelectorFrom(src.Name), + SubResource: convertValueOrSelectorFrom(src.SubResource), + Verb: convertValueOrSelectorFrom(src.Verb), + } +} + func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { if src == nil { return nil @@ -470,6 +852,16 @@ func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { } } +func spiceDBObjectFrom(src *v1beta2.SpiceDBObject) *AuthzedObject { + if src == nil { + return nil + } + return &AuthzedObject{ + Kind: convertValueOrSelectorFrom(src.Kind), + Name: convertValueOrSelectorFrom(src.Name), + } +} + func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { if src == nil { return nil @@ -482,6 +874,18 @@ func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { } } +func convertDenyWithSpecFrom(src *v1beta2.DenyWithSpec) *DenyWithSpec { + if src == nil { + return nil + } + return &DenyWithSpec{ + Code: DenyWith_Code(src.Code), + Headers: convertNamedValuesOrSelectorsFrom(src.Headers), + Message: convertPtrValueOrSelectorFrom(src.Message), + Body: convertPtrValueOrSelectorFrom(src.Body), + } +} + func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) { response := v1beta2.SuccessResponseSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -525,6 +929,49 @@ func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpe return src.Name, response } +func convertSuccessResponseFrom(name string, src v1beta2.SuccessResponseSpec, wrapper string) *Response { + response := &Response{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + Wrapper: Response_Wrapper(wrapper), + WrapperKey: src.Key, + } + + switch src.GetMethod() { + case v1beta2.PlainAuthResponse: + selector := Response_Plain(convertValueOrSelectorFrom(v1beta2.ValueOrSelector(*src.Plain))) + response.Plain = &selector + case v1beta2.JsonAuthResponse: + response.JSON = &Response_DynamicJSON{ + Properties: convertNamedValuesOrSelectorsFrom(src.Json.Properties), + } + case v1beta2.WristbandAuthResponse: + response.Wristband = &Response_Wristband{ + Issuer: src.Wristband.Issuer, + CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims), + } + if src.Wristband.TokenDuration != nil { + duration := *src.Wristband.TokenDuration + response.Wristband.TokenDuration = &duration + } + for _, keySrc := range src.Wristband.SigningKeyRefs { + if keySrc == nil { + continue + } + key := SigningKeyRef{ + Name: keySrc.Name, + Algorithm: SigningKeyAlgorithm(keySrc.Algorithm), + } + response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key) + } + } + + return response +} + func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { callback := v1beta2.CallbackSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -542,6 +989,22 @@ func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { return src.Name, callback } +func convertCallbackFrom(name string, src v1beta2.CallbackSpec) *Callback { + callback := &Callback{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + } + + switch src.GetMethod() { + case v1beta2.HttpCallback: + callback.HTTP = convertHttpEndpointSpecFrom(src.Http) + } + + return callback +} + func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { return v1beta2.AuthConfigStatus{ Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition { @@ -562,6 +1025,26 @@ func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { } } +func convertStatusFrom(src v1beta2.AuthConfigStatus) AuthConfigStatus { + return AuthConfigStatus{ + Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta2.AuthConfigStatusCondition) Condition { + condition := Condition{ + Type: ConditionType(conditionSrc.Type), + Status: conditionSrc.Status, + LastTransitionTime: conditionSrc.LastTransitionTime, + Reason: conditionSrc.Reason, + Message: conditionSrc.Message, + } + if conditionSrc.LastUpdatedTime != nil { + time := *conditionSrc.LastUpdatedTime + condition.LastUpdatedTime = &time + } + return condition + }), + Summary: convertStatusSummaryFrom(src.Summary), + } +} + func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { hostsReady := make([]string, len(src.HostsReady)) copy(hostsReady, src.HostsReady) @@ -577,3 +1060,19 @@ func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { FestivalWristbandEnabled: src.FestivalWristbandEnabled, } } + +func convertStatusSummaryFrom(src v1beta2.AuthConfigStatusSummary) Summary { + hostsReady := make([]string, len(src.HostsReady)) + copy(hostsReady, src.HostsReady) + + return Summary{ + Ready: src.Ready, + HostsReady: hostsReady, + NumHostsReady: src.NumHostsReady, + NumIdentitySources: src.NumIdentitySources, + NumMetadataSources: src.NumMetadataSources, + NumAuthorizationPolicies: src.NumAuthorizationPolicies, + NumResponseItems: src.NumResponseItems, + FestivalWristbandEnabled: src.FestivalWristbandEnabled, + } +} diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go index f07163e8..a66d1434 100644 --- a/api/v1beta2/auth_config_conversion.go +++ b/api/v1beta2/auth_config_conversion.go @@ -2,1086 +2,3 @@ package v1beta2 // Hub marks this version as a conversion hub. func (a *AuthConfig) Hub() {} - -/** - -import ( - "encoding/json" - - "github.com/kuadrant/authorino/api/v1beta1" - "github.com/kuadrant/authorino/pkg/utils" - - "github.com/tidwall/gjson" - k8sruntime "k8s.io/apimachinery/pkg/runtime" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/conversion" -) - -func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error { - dst := dstRaw.(*v1beta1.AuthConfig) - - logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src) - logger.V(1).Info("starting converting resource") - - // metadata - dst.ObjectMeta = src.ObjectMeta - - // hosts - dst.Spec.Hosts = src.Spec.Hosts - - // named patterns - if src.Spec.NamedPatterns != nil { - dst.Spec.Patterns = make(map[string]v1beta1.JSONPatternExpressions, len(src.Spec.NamedPatterns)) - for name, patterns := range src.Spec.NamedPatterns { - dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionTo) - } - } - - // conditions - dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo) - - // identity - for name, authentication := range src.Spec.Authentication { - identity := convertAuthenticationTo(name, authentication) - dst.Spec.Identity = append(dst.Spec.Identity, identity) - } - - // metadata - for name, metadataSrc := range src.Spec.Metadata { - metadata := convertMetadataTo(name, metadataSrc) - dst.Spec.Metadata = append(dst.Spec.Metadata, metadata) - } - - // authorization - for name, authorizationSrc := range src.Spec.Authorization { - authorization := convertAuthorizationTo(name, authorizationSrc) - dst.Spec.Authorization = append(dst.Spec.Authorization, authorization) - } - - // response - if src.Spec.Response != nil { - for name, responseSrc := range src.Spec.Response.Success.Headers { - response := convertSuccessResponseTo(name, responseSrc.SuccessResponseSpec, "httpHeader") - dst.Spec.Response = append(dst.Spec.Response, response) - } - - for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata { - response := convertSuccessResponseTo(name, responseSrc, "envoyDynamicMetadata") - dst.Spec.Response = append(dst.Spec.Response, response) - } - - // denyWith - if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil { - dst.Spec.DenyWith = &v1beta1.DenyWith{} - } - - if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil { - dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecTo(denyWithSrc) - } - - if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil { - dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecTo(denyWithSrc) - } - } - - // callbacks - for name, callbackSrc := range src.Spec.Callbacks { - callback := convertCallbackTo(name, callbackSrc) - dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback) - } - - // status - dst.Status = convertStatusTo(src.Status) - - logger.V(1).Info("finished converting resource", "dst", dst) - - return nil -} - -func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { - src := srcRaw.(*v1beta1.AuthConfig) - - logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src) - logger.V(1).Info("starting converting resource") - - // metadata - dst.ObjectMeta = src.ObjectMeta - - // hosts - dst.Spec.Hosts = src.Spec.Hosts - - // named patterns - if src.Spec.Patterns != nil { - dst.Spec.NamedPatterns = make(map[string]PatternExpressions, len(src.Spec.Patterns)) - for name, patterns := range src.Spec.Patterns { - dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionFrom) - } - } - - // conditions - dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom) - - // authentication - if src.Spec.Identity != nil { - dst.Spec.Authentication = make(map[string]AuthenticationSpec, len(src.Spec.Identity)) - for _, identity := range src.Spec.Identity { - name, authentication := convertAuthenticationFrom(identity) - dst.Spec.Authentication[name] = authentication - } - } - - // metadata - if src.Spec.Metadata != nil { - dst.Spec.Metadata = make(map[string]MetadataSpec, len(src.Spec.Metadata)) - for _, metadataSrc := range src.Spec.Metadata { - name, metadata := convertMetadataFrom(metadataSrc) - dst.Spec.Metadata[name] = metadata - } - } - - // authorization - if src.Spec.Authorization != nil { - dst.Spec.Authorization = make(map[string]AuthorizationSpec, len(src.Spec.Authorization)) - for _, authorizationSrc := range src.Spec.Authorization { - name, authorization := convertAuthorizationFrom(authorizationSrc) - dst.Spec.Authorization[name] = authorization - } - } - - // response - denyWith := src.Spec.DenyWith - - if denyWith != nil || len(src.Spec.Response) > 0 { - dst.Spec.Response = &ResponseSpec{} - } - - if denyWith != nil && denyWith.Unauthenticated != nil { - dst.Spec.Response.Unauthenticated = convertDenyWithSpecFrom(denyWith.Unauthenticated) - } - - if denyWith != nil && denyWith.Unauthorized != nil { - dst.Spec.Response.Unauthorized = convertDenyWithSpecFrom(denyWith.Unauthorized) - } - - for _, responseSrc := range src.Spec.Response { - if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" { - continue - } - if dst.Spec.Response.Success.Headers == nil { - dst.Spec.Response.Success.Headers = make(map[string]HeaderSuccessResponseSpec) - } - name, response := convertSuccessResponseFrom(responseSrc) - dst.Spec.Response.Success.Headers[name] = HeaderSuccessResponseSpec{ - SuccessResponseSpec: response, - } - } - - for _, responseSrc := range src.Spec.Response { - if responseSrc.Wrapper != "envoyDynamicMetadata" { - continue - } - if dst.Spec.Response.Success.DynamicMetadata == nil { - dst.Spec.Response.Success.DynamicMetadata = make(map[string]SuccessResponseSpec) - } - name, response := convertSuccessResponseFrom(responseSrc) - dst.Spec.Response.Success.DynamicMetadata[name] = response - } - - // callbacks - if src.Spec.Callbacks != nil { - dst.Spec.Callbacks = make(map[string]CallbackSpec, len(src.Spec.Callbacks)) - for _, callbackSrc := range src.Spec.Callbacks { - name, callback := convertCallbackFrom(callbackSrc) - dst.Spec.Callbacks[name] = callback - } - } - - // status - dst.Status = convertStatusFrom(src.Status) - - logger.V(1).Info("finished converting resource", "dst", dst) - - return nil -} - -func convertPatternExpressionTo(src PatternExpression) v1beta1.JSONPatternExpression { - return v1beta1.JSONPatternExpression{ - Selector: src.Selector, - Operator: v1beta1.JSONPatternOperator(src.Operator), - Value: src.Value, - } -} - -func convertPatternExpressionFrom(src v1beta1.JSONPatternExpression) PatternExpression { - return PatternExpression{ - Selector: src.Selector, - Operator: PatternExpressionOperator(src.Operator), - Value: src.Value, - } -} - -func convertPatternExpressionOrRefTo(src PatternExpressionOrRef) v1beta1.JSONPattern { - pattern := v1beta1.JSONPattern{ - JSONPatternExpression: convertPatternExpressionTo(src.PatternExpression), - JSONPatternRef: v1beta1.JSONPatternRef{ - JSONPatternName: src.PatternRef.Name, - }, - } - if len(src.All) > 0 { - pattern.All = make([]v1beta1.UnstructuredJSONPattern, len(src.All)) - for i, p := range src.All { - pattern.All[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)} - } - } - if len(src.Any) > 0 { - pattern.Any = make([]v1beta1.UnstructuredJSONPattern, len(src.Any)) - for i, p := range src.Any { - pattern.Any[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)} - } - } - return pattern -} - -func convertPatternExpressionOrRefFrom(src v1beta1.JSONPattern) PatternExpressionOrRef { - pattern := PatternExpressionOrRef{ - PatternExpression: convertPatternExpressionFrom(src.JSONPatternExpression), - PatternRef: PatternRef{ - Name: src.JSONPatternRef.JSONPatternName, - }, - } - if len(src.All) > 0 { - pattern.All = make([]UnstructuredPatternExpressionOrRef, len(src.All)) - for i, p := range src.All { - pattern.All[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)} - } - } - if len(src.Any) > 0 { - pattern.Any = make([]UnstructuredPatternExpressionOrRef, len(src.Any)) - for i, p := range src.Any { - pattern.Any[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)} - } - } - return pattern -} - -func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta1.EvaluatorCaching { - if src == nil { - return nil - } - return &v1beta1.EvaluatorCaching{ - Key: convertValueOrSelectorTo(src.Key), - TTL: src.TTL, - } -} - -func convertEvaluatorCachingFrom(src *v1beta1.EvaluatorCaching) *EvaluatorCaching { - if src == nil { - return nil - } - return &EvaluatorCaching{ - Key: convertValueOrSelectorFrom(src.Key), - TTL: src.TTL, - } -} - -func convertValueOrSelectorTo(src ValueOrSelector) v1beta1.StaticOrDynamicValue { - return v1beta1.StaticOrDynamicValue{ - Value: gjson.ParseBytes(src.Value.Raw).String(), - ValueFrom: convertSelectorTo(src), - } -} - -func convertValueOrSelectorFrom(src v1beta1.StaticOrDynamicValue) ValueOrSelector { - value := k8sruntime.RawExtension{} - if src.ValueFrom.AuthJSON == "" { - jsonString, err := json.Marshal(src.Value) - if err == nil { - value.Raw = jsonString - } - } - return ValueOrSelector{ - Value: value, - Selector: src.ValueFrom.AuthJSON, - } -} - -func convertPtrValueOrSelectorTo(src *ValueOrSelector) *v1beta1.StaticOrDynamicValue { - if src == nil { - return nil - } - v := convertValueOrSelectorTo(*src) - return &v -} - -func convertPtrValueOrSelectorFrom(src *v1beta1.StaticOrDynamicValue) *ValueOrSelector { - if src == nil { - return nil - } - v := convertValueOrSelectorFrom(*src) - return &v -} - -func convertNamedValuesOrSelectorsTo(src NamedValuesOrSelectors) []v1beta1.JsonProperty { - if src == nil { - return nil - } - jsonProperties := make([]v1beta1.JsonProperty, 0, len(src)) - for name, valueOrSelector := range src { - jsonProperties = append(jsonProperties, v1beta1.JsonProperty{ - Name: name, - Value: valueOrSelector.Value, - ValueFrom: convertSelectorTo(valueOrSelector), - }) - } - return jsonProperties -} - -func convertNamedValuesOrSelectorsFrom(src []v1beta1.JsonProperty) NamedValuesOrSelectors { - if src == nil { - return nil - } - namedValuesOrSelectors := NamedValuesOrSelectors{} - for _, jsonProperty := range src { - value := k8sruntime.RawExtension{} - if jsonProperty.ValueFrom.AuthJSON == "" { - value.Raw = jsonProperty.Value.Raw - } - namedValuesOrSelectors[jsonProperty.Name] = ValueOrSelector{ - Value: value, - Selector: jsonProperty.ValueFrom.AuthJSON, - } - } - return namedValuesOrSelectors -} - -func convertSelectorTo(src ValueOrSelector) v1beta1.ValueFrom { - return v1beta1.ValueFrom{ - AuthJSON: src.Selector, - } -} - -func convertCredentialsTo(src Credentials) v1beta1.Credentials { - var in, key string - switch src.GetType() { - case AuthorizationHeaderCredentials: - in = "authorization_header" - key = src.AuthorizationHeader.Prefix - case CustomHeaderCredentials: - in = "custom_header" - key = src.CustomHeader.Name - case QueryStringCredentials: - in = "query" - key = src.QueryString.Name - case CookieCredentials: - in = "cookie" - key = src.Cookie.Name - } - return v1beta1.Credentials{ - In: v1beta1.Credentials_In(in), - KeySelector: key, - } -} - -func convertCredentialsFrom(src v1beta1.Credentials) Credentials { - credentials := Credentials{} - switch src.In { - case "authorization_header": - credentials.AuthorizationHeader = &Prefixed{ - Prefix: src.KeySelector, - } - case "custom_header": - credentials.CustomHeader = &CustomHeader{ - Named: Named{Name: src.KeySelector}, - } - case "query": - credentials.QueryString = &Named{ - Name: src.KeySelector, - } - case "cookie": - credentials.Cookie = &Named{ - Name: src.KeySelector, - } - } - return credentials -} - -func convertAuthenticationTo(name string, src AuthenticationSpec) *v1beta1.Identity { - extendedProperties := utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Overrides)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty { - return v1beta1.ExtendedProperty{ - JsonProperty: jsonProperty, - Overwrite: true, - } - }) - extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Defaults)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty { - return v1beta1.ExtendedProperty{ - JsonProperty: jsonProperty, - Overwrite: false, - } - })...) - - identity := &v1beta1.Identity{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - Credentials: convertCredentialsTo(src.Credentials), - ExtendedProperties: extendedProperties, - } - - switch src.GetMethod() { - case ApiKeyAuthentication: - selector := *src.ApiKey.Selector - identity.APIKey = &v1beta1.Identity_APIKey{ - Selector: &selector, - AllNamespaces: src.ApiKey.AllNamespaces, - } - case JwtAuthentication: - identity.Oidc = &v1beta1.Identity_OidcConfig{ - Endpoint: src.Jwt.IssuerUrl, - TTL: src.Jwt.TTL, - } - case OAuth2TokenIntrospectionAuthentication: - credentials := *src.OAuth2TokenIntrospection.Credentials - identity.OAuth2 = &v1beta1.Identity_OAuth2Config{ - TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url, - TokenTypeHint: src.OAuth2TokenIntrospection.TokenTypeHint, - Credentials: &credentials, - } - case KubernetesTokenReviewAuthentication: - identity.KubernetesAuth = &v1beta1.Identity_KubernetesAuth{ - Audiences: src.KubernetesTokenReview.Audiences, - } - case X509ClientCertificateAuthentication: - selector := *src.X509ClientCertificate.Selector - identity.MTLS = &v1beta1.Identity_MTLS{ - Selector: &selector, - AllNamespaces: src.X509ClientCertificate.AllNamespaces, - } - case PlainIdentityAuthentication: - selector := v1beta1.Identity_Plain(v1beta1.ValueFrom{ - AuthJSON: src.Plain.Selector, - }) - identity.Plain = &selector - case AnonymousAccessAuthentication: - identity.Anonymous = &v1beta1.Identity_Anonymous{} - } - - return identity -} - -func convertAuthenticationFrom(src *v1beta1.Identity) (string, AuthenticationSpec) { - authentication := AuthenticationSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - Credentials: convertCredentialsFrom(src.Credentials), - } - - var overrides []v1beta1.JsonProperty - for _, extendedProperty := range src.ExtendedProperties { - if !extendedProperty.Overwrite { - continue - } - overrides = append(overrides, extendedProperty.JsonProperty) - } - if len(overrides) > 0 { - authentication.Overrides = ExtendedProperties(convertNamedValuesOrSelectorsFrom(overrides)) - } - - var defaults []v1beta1.JsonProperty - for _, extendedProperty := range src.ExtendedProperties { - if extendedProperty.Overwrite { - continue - } - defaults = append(defaults, extendedProperty.JsonProperty) - } - if len(defaults) > 0 { - authentication.Defaults = ExtendedProperties(convertNamedValuesOrSelectorsFrom(defaults)) - } - - switch src.GetType() { - case v1beta1.IdentityApiKey: - selector := *src.APIKey.Selector - authentication.ApiKey = &ApiKeyAuthenticationSpec{ - Selector: &selector, - AllNamespaces: src.APIKey.AllNamespaces, - } - case v1beta1.IdentityOidc: - authentication.Jwt = &JwtAuthenticationSpec{ - IssuerUrl: src.Oidc.Endpoint, - TTL: src.Oidc.TTL, - } - case v1beta1.IdentityOAuth2: - credentials := *src.OAuth2.Credentials - authentication.OAuth2TokenIntrospection = &OAuth2TokenIntrospectionSpec{ - Url: src.OAuth2.TokenIntrospectionUrl, - TokenTypeHint: src.OAuth2.TokenTypeHint, - Credentials: &credentials, - } - case v1beta1.IdentityKubernetesAuth: - authentication.KubernetesTokenReview = &KubernetesTokenReviewSpec{ - Audiences: src.KubernetesAuth.Audiences, - } - case v1beta1.IdentityMTLS: - selector := *src.MTLS.Selector - authentication.X509ClientCertificate = &X509ClientCertificateAuthenticationSpec{ - Selector: &selector, - AllNamespaces: src.MTLS.AllNamespaces, - } - case v1beta1.IdentityPlain: - authentication.Plain = &PlainIdentitySpec{ - Selector: src.Plain.AuthJSON, - } - case v1beta1.IdentityAnonymous: - authentication.AnonymousAccess = &AnonymousAccessSpec{} - } - - return src.Name, authentication -} - -func convertMetadataTo(name string, src MetadataSpec) *v1beta1.Metadata { - metadata := &v1beta1.Metadata{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - } - - switch src.GetMethod() { - case HttpMetadata: - metadata.GenericHTTP = convertHttpEndpointSpecTo(src.Http) - case UserInfoMetadata: - metadata.UserInfo = &v1beta1.Metadata_UserInfo{ - IdentitySource: src.UserInfo.IdentitySource, - } - case UmaResourceMetadata: - credentials := *src.Uma.Credentials - metadata.UMA = &v1beta1.Metadata_UMA{ - Endpoint: src.Uma.Endpoint, - Credentials: &credentials, - } - } - - return metadata -} - -func convertMetadataFrom(src *v1beta1.Metadata) (string, MetadataSpec) { - metadata := MetadataSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - } - - switch src.GetType() { - case v1beta1.MetadataGenericHTTP: - metadata.Http = convertHttpEndpointSpecFrom(src.GenericHTTP) - case v1beta1.MetadataUserinfo: - metadata.UserInfo = &UserInfoMetadataSpec{ - IdentitySource: src.UserInfo.IdentitySource, - } - case v1beta1.MetadataUma: - credentials := *src.UMA.Credentials - metadata.Uma = &UmaMetadataSpec{ - Endpoint: src.UMA.Endpoint, - Credentials: &credentials, - } - } - - return src.Name, metadata -} - -func convertHttpEndpointSpecTo(src *HttpEndpointSpec) *v1beta1.Metadata_GenericHTTP { - if src == nil { - return nil - } - return &v1beta1.Metadata_GenericHTTP{ - Endpoint: src.Url, - Method: convertMethodTo(src.Method), - Body: convertPtrValueOrSelectorTo(src.Body), - Parameters: convertNamedValuesOrSelectorsTo(src.Parameters), - ContentType: convertContentTypeTo(src.ContentType), - Headers: convertNamedValuesOrSelectorsTo(src.Headers), - SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), - OAuth2: convertOAuth2ClientAuthenticationTo(src.OAuth2), - Credentials: convertCredentialsTo(src.Credentials), - } -} - -func convertHttpEndpointSpecFrom(src *v1beta1.Metadata_GenericHTTP) *HttpEndpointSpec { - if src == nil { - return nil - } - return &HttpEndpointSpec{ - Url: src.Endpoint, - Method: convertMethodFrom(src.Method), - Body: convertPtrValueOrSelectorFrom(src.Body), - Parameters: convertNamedValuesOrSelectorsFrom(src.Parameters), - ContentType: convertContentTypeFrom(src.ContentType), - Headers: convertNamedValuesOrSelectorsFrom(src.Headers), - SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), - OAuth2: convertOAuth2ClientAuthenticationFrom(src.OAuth2), - Credentials: convertCredentialsFrom(src.Credentials), - } -} - -func convertMethodTo(src *HttpMethod) *v1beta1.GenericHTTP_Method { - if src == nil { - return nil - } - method := v1beta1.GenericHTTP_Method(*src) - return &method -} - -func convertMethodFrom(src *v1beta1.GenericHTTP_Method) *HttpMethod { - if src == nil { - return nil - } - method := HttpMethod(*src) - return &method -} - -func convertContentTypeTo(src HttpContentType) v1beta1.Metadata_GenericHTTP_ContentType { - return v1beta1.Metadata_GenericHTTP_ContentType(src) -} - -func convertContentTypeFrom(src v1beta1.Metadata_GenericHTTP_ContentType) HttpContentType { - return HttpContentType(src) -} - -func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta1.OAuth2ClientAuthentication { - if src == nil { - return nil - } - o := &v1beta1.OAuth2ClientAuthentication{ - TokenUrl: src.TokenUrl, - ClientId: src.ClientId, - ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret), - Scopes: src.Scopes, - ExtraParams: src.ExtraParams, - } - if src.Cache != nil { - cache := *src.Cache - o.Cache = &cache - } - return o -} - -func convertOAuth2ClientAuthenticationFrom(src *v1beta1.OAuth2ClientAuthentication) *OAuth2ClientAuthentication { - if src == nil { - return nil - } - o := &OAuth2ClientAuthentication{ - TokenUrl: src.TokenUrl, - ClientId: src.ClientId, - ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret), - Scopes: src.Scopes, - ExtraParams: src.ExtraParams, - } - if src.Cache != nil { - cache := *src.Cache - o.Cache = &cache - } - return o -} - -func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta1.SecretKeyReference { - if src == nil { - return nil - } - return &v1beta1.SecretKeyReference{ - Name: src.Name, - Key: src.Key, - } -} - -func convertSecretKeyReferenceFrom(src *v1beta1.SecretKeyReference) *SecretKeyReference { - if src == nil { - return nil - } - return &SecretKeyReference{ - Name: src.Name, - Key: src.Key, - } -} - -func convertAuthorizationTo(name string, src AuthorizationSpec) *v1beta1.Authorization { - authorization := &v1beta1.Authorization{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - } - - switch src.GetMethod() { - case PatternMatchingAuthorization: - authorization.JSON = &v1beta1.Authorization_JSONPatternMatching{ - Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefTo), - } - case OpaAuthorization: - authorization.OPA = &v1beta1.Authorization_OPA{ - InlineRego: src.Opa.Rego, - ExternalRegistry: convertOpaExternalRegistryTo(src.Opa.External), - AllValues: src.Opa.AllValues, - } - case KubernetesSubjectAccessReviewAuthorization: - authorization.KubernetesAuthz = &v1beta1.Authorization_KubernetesAuthz{ - Groups: src.KubernetesSubjectAccessReview.Groups, - ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesSubjectAccessReview.ResourceAttributes), - } - if src.KubernetesSubjectAccessReview.User != nil { - authorization.KubernetesAuthz.User = convertValueOrSelectorTo(*src.KubernetesSubjectAccessReview.User) - } - case SpiceDBAuthorization: - authorization.Authzed = &v1beta1.Authorization_Authzed{ - Endpoint: src.SpiceDB.Endpoint, - Insecure: src.SpiceDB.Insecure, - SharedSecret: convertSecretKeyReferenceTo(src.SpiceDB.SharedSecret), - Subject: spiceDBObjectTo(src.SpiceDB.Subject), - Resource: spiceDBObjectTo(src.SpiceDB.Resource), - Permission: convertValueOrSelectorTo(src.SpiceDB.Permission), - } - } - - return authorization -} - -func convertAuthorizationFrom(src *v1beta1.Authorization) (string, AuthorizationSpec) { - authorization := AuthorizationSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - } - - switch src.GetType() { - case v1beta1.AuthorizationJSONPatternMatching: - authorization.PatternMatching = &PatternMatchingAuthorizationSpec{ - Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefFrom), - } - case v1beta1.AuthorizationOPA: - authorization.Opa = &OpaAuthorizationSpec{ - Rego: src.OPA.InlineRego, - External: convertOpaExternalRegistryFrom(src.OPA.ExternalRegistry), - AllValues: src.OPA.AllValues, - } - case v1beta1.AuthorizationKubernetesAuthz: - authorization.KubernetesSubjectAccessReview = &KubernetesSubjectAccessReviewAuthorizationSpec{ - User: convertPtrValueOrSelectorFrom(&src.KubernetesAuthz.User), - Groups: src.KubernetesAuthz.Groups, - ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesAuthz.ResourceAttributes), - } - case v1beta1.AuthorizationAuthzed: - authorization.SpiceDB = &SpiceDBAuthorizationSpec{ - Endpoint: src.Authzed.Endpoint, - Insecure: src.Authzed.Insecure, - SharedSecret: convertSecretKeyReferenceFrom(src.Authzed.SharedSecret), - Subject: spiceDBObjectFrom(src.Authzed.Subject), - Resource: spiceDBObjectFrom(src.Authzed.Resource), - Permission: convertValueOrSelectorFrom(src.Authzed.Permission), - } - } - - return src.Name, authorization -} - -func convertOpaExternalRegistryTo(src *ExternalOpaPolicy) v1beta1.ExternalRegistry { - if src == nil { - return v1beta1.ExternalRegistry{} - } - return v1beta1.ExternalRegistry{ - Endpoint: src.Url, - SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), - Credentials: convertCredentialsTo(src.Credentials), - TTL: src.TTL, - } -} - -func convertOpaExternalRegistryFrom(src v1beta1.ExternalRegistry) *ExternalOpaPolicy { - if src.Endpoint == "" { - return nil - } - return &ExternalOpaPolicy{ - HttpEndpointSpec: &HttpEndpointSpec{ - Url: src.Endpoint, - SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), - Credentials: convertCredentialsFrom(src.Credentials), - }, - TTL: src.TTL, - } -} - -func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *KubernetesSubjectAccessReviewResourceAttributesSpec) *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes { - if src == nil { - return nil - } - return &v1beta1.Authorization_KubernetesAuthz_ResourceAttributes{ - Namespace: convertValueOrSelectorTo(src.Namespace), - Group: convertValueOrSelectorTo(src.Group), - Resource: convertValueOrSelectorTo(src.Resource), - Name: convertValueOrSelectorTo(src.Name), - SubResource: convertValueOrSelectorTo(src.SubResource), - Verb: convertValueOrSelectorTo(src.Verb), - } -} - -func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes) *KubernetesSubjectAccessReviewResourceAttributesSpec { - if src == nil { - return nil - } - return &KubernetesSubjectAccessReviewResourceAttributesSpec{ - Namespace: convertValueOrSelectorFrom(src.Namespace), - Group: convertValueOrSelectorFrom(src.Group), - Resource: convertValueOrSelectorFrom(src.Resource), - Name: convertValueOrSelectorFrom(src.Name), - SubResource: convertValueOrSelectorFrom(src.SubResource), - Verb: convertValueOrSelectorFrom(src.Verb), - } -} - -func spiceDBObjectTo(src *SpiceDBObject) *v1beta1.AuthzedObject { - if src == nil { - return nil - } - return &v1beta1.AuthzedObject{ - Kind: convertValueOrSelectorTo(src.Kind), - Name: convertValueOrSelectorTo(src.Name), - } -} - -func spiceDBObjectFrom(src *v1beta1.AuthzedObject) *SpiceDBObject { - if src == nil { - return nil - } - return &SpiceDBObject{ - Kind: convertValueOrSelectorFrom(src.Kind), - Name: convertValueOrSelectorFrom(src.Name), - } -} - -func convertSuccessResponseTo(name string, src SuccessResponseSpec, wrapper string) *v1beta1.Response { - response := &v1beta1.Response{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - Wrapper: v1beta1.Response_Wrapper(wrapper), - WrapperKey: src.Key, - } - - switch src.GetMethod() { - case PlainAuthResponse: - selector := v1beta1.Response_Plain(convertValueOrSelectorTo(ValueOrSelector(*src.Plain))) - response.Plain = &selector - case JsonAuthResponse: - response.JSON = &v1beta1.Response_DynamicJSON{ - Properties: convertNamedValuesOrSelectorsTo(src.Json.Properties), - } - case WristbandAuthResponse: - response.Wristband = &v1beta1.Response_Wristband{ - Issuer: src.Wristband.Issuer, - CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims), - } - if src.Wristband.TokenDuration != nil { - duration := *src.Wristband.TokenDuration - response.Wristband.TokenDuration = &duration - } - for _, keySrc := range src.Wristband.SigningKeyRefs { - if keySrc == nil { - continue - } - key := v1beta1.SigningKeyRef{ - Name: keySrc.Name, - Algorithm: v1beta1.SigningKeyAlgorithm(keySrc.Algorithm), - } - response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key) - } - } - - return response -} - -func convertSuccessResponseFrom(src *v1beta1.Response) (string, SuccessResponseSpec) { - response := SuccessResponseSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - Key: src.WrapperKey, - } - - switch src.GetType() { - case v1beta1.ResponsePlain: - selector := PlainAuthResponseSpec(convertValueOrSelectorFrom(v1beta1.StaticOrDynamicValue(*src.Plain))) - response.Plain = &selector - case v1beta1.ResponseDynamicJSON: - response.Json = &JsonAuthResponseSpec{ - Properties: convertNamedValuesOrSelectorsFrom(src.JSON.Properties), - } - case v1beta1.ResponseWristband: - response.Wristband = &WristbandAuthResponseSpec{ - Issuer: src.Wristband.Issuer, - CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims), - } - if src.Wristband.TokenDuration != nil { - duration := *src.Wristband.TokenDuration - response.Wristband.TokenDuration = &duration - } - for _, keySrc := range src.Wristband.SigningKeyRefs { - if keySrc == nil { - continue - } - key := &WristbandSigningKeyRef{ - Name: keySrc.Name, - Algorithm: WristbandSigningKeyAlgorithm(keySrc.Algorithm), - } - response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key) - } - } - - return src.Name, response -} - -func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta1.DenyWithSpec { - if src == nil { - return nil - } - return &v1beta1.DenyWithSpec{ - Code: v1beta1.DenyWith_Code(src.Code), - Headers: convertNamedValuesOrSelectorsTo(src.Headers), - Message: convertPtrValueOrSelectorTo(src.Message), - Body: convertPtrValueOrSelectorTo(src.Body), - } -} - -func convertDenyWithSpecFrom(src *v1beta1.DenyWithSpec) *DenyWithSpec { - if src == nil { - return nil - } - return &DenyWithSpec{ - Code: DenyWithCode(src.Code), - Headers: convertNamedValuesOrSelectorsFrom(src.Headers), - Message: convertPtrValueOrSelectorFrom(src.Message), - Body: convertPtrValueOrSelectorFrom(src.Body), - } -} - -func convertCallbackTo(name string, src CallbackSpec) *v1beta1.Callback { - callback := &v1beta1.Callback{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - } - - switch src.GetMethod() { - case HttpCallback: - callback.HTTP = convertHttpEndpointSpecTo(src.Http) - } - - return callback -} - -func convertCallbackFrom(src *v1beta1.Callback) (string, CallbackSpec) { - callback := CallbackSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - }, - } - - switch src.GetType() { - case v1beta1.CallbackHTTP: - callback.Http = convertHttpEndpointSpecFrom(src.HTTP) - } - - return src.Name, callback -} - -func convertStatusTo(src AuthConfigStatus) v1beta1.AuthConfigStatus { - return v1beta1.AuthConfigStatus{ - Conditions: utils.Map(src.Conditions, func(conditionSrc AuthConfigStatusCondition) v1beta1.Condition { - condition := v1beta1.Condition{ - Type: v1beta1.ConditionType(conditionSrc.Type), - Status: conditionSrc.Status, - LastTransitionTime: conditionSrc.LastTransitionTime, - Reason: conditionSrc.Reason, - Message: conditionSrc.Message, - } - if conditionSrc.LastUpdatedTime != nil { - time := *conditionSrc.LastUpdatedTime - condition.LastUpdatedTime = &time - } - return condition - }), - Summary: convertStatusSummaryTo(src.Summary), - } -} - -func convertStatusFrom(src v1beta1.AuthConfigStatus) AuthConfigStatus { - return AuthConfigStatus{ - Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta1.Condition) AuthConfigStatusCondition { - condition := AuthConfigStatusCondition{ - Type: StatusConditionType(conditionSrc.Type), - Status: conditionSrc.Status, - LastTransitionTime: conditionSrc.LastTransitionTime, - Reason: conditionSrc.Reason, - Message: conditionSrc.Message, - } - if conditionSrc.LastUpdatedTime != nil { - time := *conditionSrc.LastUpdatedTime - condition.LastUpdatedTime = &time - } - return condition - }), - Summary: convertStatusSummaryFrom(src.Summary), - } -} - -func convertStatusSummaryTo(src AuthConfigStatusSummary) v1beta1.Summary { - hostsReady := make([]string, len(src.HostsReady)) - copy(hostsReady, src.HostsReady) - - return v1beta1.Summary{ - Ready: src.Ready, - HostsReady: hostsReady, - NumHostsReady: src.NumHostsReady, - NumIdentitySources: src.NumIdentitySources, - NumMetadataSources: src.NumMetadataSources, - NumAuthorizationPolicies: src.NumAuthorizationPolicies, - NumResponseItems: src.NumResponseItems, - FestivalWristbandEnabled: src.FestivalWristbandEnabled, - } -} - -func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary { - hostsReady := make([]string, len(src.HostsReady)) - copy(hostsReady, src.HostsReady) - - return AuthConfigStatusSummary{ - Ready: src.Ready, - HostsReady: hostsReady, - NumHostsReady: src.NumHostsReady, - NumIdentitySources: src.NumIdentitySources, - NumMetadataSources: src.NumMetadataSources, - NumAuthorizationPolicies: src.NumAuthorizationPolicies, - NumResponseItems: src.NumResponseItems, - FestivalWristbandEnabled: src.FestivalWristbandEnabled, - } -} - -*/ From 187bf1dee2739d28a0fbf140b4d0723bbfcf2b6e Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 10:59:04 -0400 Subject: [PATCH 3/6] Updated test Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 1 + .../auth_config_conversion_test.go | 36 +- .../authorino.kuadrant.io_authconfigs.yaml | 2780 +++++++++------- install/manifests.yaml | 2926 ++++++++++------- install/rbac/role.yaml | 147 + 5 files changed, 3523 insertions(+), 2367 deletions(-) rename api/{v1beta2 => v1beta1}/auth_config_conversion_test.go (99%) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index 78a2e5dd..f60ec485 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -2,6 +2,7 @@ package v1beta1 import ( "encoding/json" + "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/utils" "github.com/tidwall/gjson" diff --git a/api/v1beta2/auth_config_conversion_test.go b/api/v1beta1/auth_config_conversion_test.go similarity index 99% rename from api/v1beta2/auth_config_conversion_test.go rename to api/v1beta1/auth_config_conversion_test.go index 3bed4d10..f9c860a6 100644 --- a/api/v1beta2/auth_config_conversion_test.go +++ b/api/v1beta1/auth_config_conversion_test.go @@ -1,4 +1,4 @@ -package v1beta2 +package v1beta1 import ( "encoding/json" @@ -7,12 +7,23 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/kuadrant/authorino/api/v1beta1" + "github.com/kuadrant/authorino/api/v1beta2" ) func TestConvertTo(t *testing.T) { - converted := &v1beta1.AuthConfig{} - authConfig().ConvertTo(converted) + converted := &v1beta2.AuthConfig{} + config := authConfig() + config.ConvertTo(converted) + + expected := hubAuthConfig() + if !reflect.DeepEqual(expected, converted) { + t.Error(cmp.Diff(expected, converted)) + } +} + +func TestConvertFrom(t *testing.T) { + converted := &AuthConfig{} + converted.ConvertFrom(hubAuthConfig()) sort.Slice(converted.Spec.Identity, func(i, j int) bool { return converted.Spec.Identity[i].Name < converted.Spec.Identity[j].Name @@ -48,23 +59,14 @@ func TestConvertTo(t *testing.T) { return converted.Spec.DenyWith.Unauthorized.Headers[i].Name < converted.Spec.DenyWith.Unauthorized.Headers[j].Name }) - expected := hubAuthConfig() - if !reflect.DeepEqual(expected, converted) { - t.Error(cmp.Diff(expected, converted)) - } -} - -func TestConvertFrom(t *testing.T) { - converted := &AuthConfig{} - converted.ConvertFrom(hubAuthConfig()) expected := authConfig() if !reflect.DeepEqual(expected, converted) { t.Error(cmp.Diff(expected, converted)) } } -func authConfig() *AuthConfig { - authConfig := &AuthConfig{} +func hubAuthConfig() *v1beta2.AuthConfig { + authConfig := &v1beta2.AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { @@ -477,8 +479,8 @@ func authConfig() *AuthConfig { return authConfig } -func hubAuthConfig() *v1beta1.AuthConfig { - authConfig := &v1beta1.AuthConfig{} +func authConfig() *AuthConfig { + authConfig := &AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 288a9a2b..800f877a 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -54,19 +55,14 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -76,13 +72,13 @@ spec: service hosts. properties: authorization: - description: |- - Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. items: - description: |- - Authorization policy to be enforced. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' properties: authzed: description: Authzed authorization @@ -105,12 +101,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -131,12 +130,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -153,12 +157,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -197,12 +206,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -219,12 +233,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -233,14 +252,14 @@ spec: - endpoint type: object cache: - description: |- - Caching options for the policy evaluation results when enforcing this config. - Omit it to avoid caching policy evaluation results for this config. + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -249,12 +268,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -289,9 +311,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -303,14 +328,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -318,8 +345,7 @@ spec: - rules type: object kubernetes: - description: |- - Kubernetes authorization policy based on `SubjectAccessReview` + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -328,9 +354,10 @@ spec: type: string type: array resourceAttributes: - description: |- - Use ResourceAttributes for checking permissions on Kubernetes resources - If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -345,12 +372,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -367,12 +399,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -389,12 +426,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -411,12 +453,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -433,12 +480,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -455,20 +507,25 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object type: object user: - description: |- - User to test for. - If without "Groups", then is it interpreted as "What if User were not a member of any groups" + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" properties: value: description: Static value @@ -477,12 +534,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -495,27 +555,30 @@ spec: individual observability metrics type: boolean name: - description: |- - Name of the authorization policy. - It can be used to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. properties: in: default: authorization_header @@ -529,24 +592,32 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or application/json content-type. - In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. properties: key: description: The key of the secret to select from. Must @@ -566,23 +637,24 @@ spec: type: integer type: object inlineRego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this authorization policy. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -600,9 +672,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -614,14 +688,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -630,9 +706,8 @@ spec: type: object type: array callbacks: - description: |- - List of callback configs. - Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -641,10 +716,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -653,20 +728,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -679,12 +758,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -693,17 +776,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -717,20 +803,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -746,12 +835,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -760,9 +853,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -773,9 +867,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -818,10 +912,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -844,21 +938,20 @@ spec: observability metrics type: boolean name: - description: |- - Name of the callback. - It can be used to refer to the resolved callback response in other configs. + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to perform this callback. + description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -876,9 +969,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -890,14 +985,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -924,12 +1021,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -955,12 +1055,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -977,12 +1080,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1001,12 +1107,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1032,12 +1141,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1054,32 +1166,37 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. items: type: string type: array identity: - description: |- - List of identity sources/authentication modes. - At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. items: - description: |- - The identity source/authentication mode config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' properties: anonymous: type: object @@ -1087,9 +1204,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1100,8 +1218,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1109,16 +1227,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1130,25 +1249,25 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object cache: - description: |- - Caching options for the identity resolved when applying this config. - Omit it to avoid caching identity objects for this config. + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1157,12 +1276,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1175,9 +1297,11 @@ spec: - key type: object credentials: - description: |- - Defines where client credentials are required to be passed in the request for this identity source/authentication mode. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1191,18 +1315,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: |- - Extends the resolved identity object with additional custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. items: properties: name: @@ -1220,12 +1349,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1235,9 +1367,11 @@ spec: kubernetes: properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. items: type: string type: array @@ -1251,9 +1385,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1264,8 +1399,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1273,16 +1408,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1294,21 +1430,21 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object name: - description: |- - The name of this identity source/authentication mode. - It usually identifies a source of identities or group of users/clients of the protected service. - It can be used to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1318,19 +1454,15 @@ spec: server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1340,10 +1472,14 @@ spec: oidc: properties: endpoint: - description: |- - Endpoint of the OIDC issuer. - Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1355,25 +1491,28 @@ spec: plain: properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this identity config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -1391,9 +1530,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1405,14 +1546,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1421,23 +1564,22 @@ spec: type: object type: array metadata: - description: |- - List of metadata source configs. - Authorino fetches JSON content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. items: - description: |- - The metadata config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' properties: cache: - description: |- - Caching options for the external metadata fetched when applying this config. - Omit it to avoid caching metadata from this source. + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1446,12 +1588,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1468,10 +1613,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1480,20 +1625,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -1506,12 +1655,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1520,17 +1673,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -1544,20 +1700,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1573,12 +1732,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1587,9 +1750,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -1600,9 +1764,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1645,10 +1809,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1671,15 +1835,14 @@ spec: observability metrics type: boolean name: - description: |- - The name of the metadata source. - It can be used to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1690,17 +1853,14 @@ spec: registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1719,10 +1879,10 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to apply this metadata config. - If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. items: properties: all: @@ -1740,9 +1900,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1754,14 +1916,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1774,9 +1938,11 @@ spec: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1785,14 +1951,16 @@ spec: - matches type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. type: string type: object type: array @@ -1800,23 +1968,22 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: |- - List of response configs. - Authorino gathers data from the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. items: - description: |- - Dynamic response to return to the client. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' properties: cache: - description: |- - Caching options for dynamic responses built when applying this config. - Omit it to avoid caching dynamic responses for this config. + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1825,12 +1992,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1859,12 +2029,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1880,9 +2054,8 @@ spec: observability metrics type: boolean name: - description: |- - Name of the custom response. - It can be used to refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -1896,26 +2069,29 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this custom response config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1933,9 +2109,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1947,30 +2125,32 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: |- - How Authorino wraps the response. - Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: |- - The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). - If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -1990,12 +2170,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2008,9 +2192,10 @@ spec: where = / = / = / = / = / = / Date: Mon, 26 Aug 2024 15:24:43 -0400 Subject: [PATCH 4/6] Newer manifests Signed-off-by: Alex Snaps --- .../authorino.kuadrant.io_authconfigs.yaml | 2780 +++++++---------- install/manifests.yaml | 2780 +++++++---------- install/rbac/role.yaml | 1 - 3 files changed, 2350 insertions(+), 3211 deletions(-) diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 800f877a..288a9a2b 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -55,14 +54,19 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,13 +76,13 @@ spec: service hosts. properties: authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. + description: |- + Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' + description: |- + Authorization policy to be enforced. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". properties: authzed: description: Authzed authorization @@ -101,15 +105,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -130,17 +131,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -157,17 +153,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -206,17 +197,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -233,17 +219,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -252,14 +233,14 @@ spec: - endpoint type: object cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. + description: |- + Caching options for the policy evaluation results when enforcing this config. + Omit it to avoid caching policy evaluation results for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -268,15 +249,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -311,12 +289,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -328,16 +303,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -345,7 +318,8 @@ spec: - rules type: object kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` + description: |- + Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -354,10 +328,9 @@ spec: type: string type: array resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. + description: |- + Use ResourceAttributes for checking permissions on Kubernetes resources + If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -372,17 +345,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -399,17 +367,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -426,17 +389,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -453,17 +411,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -480,17 +433,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -507,25 +455,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" + description: |- + User to test for. + If without "Groups", then is it interpreted as "What if User were not a member of any groups" properties: value: description: Static value @@ -534,15 +477,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -555,30 +495,27 @@ spec: individual observability metrics type: boolean name: - description: Name of the authorization policy. It can be used - to refer to the resolved authorization object in other configs. + description: |- + Name of the authorization policy. + It can be used to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: Returns the value of all Rego rules in the - virtual document. Values can be read in subsequent evaluators/phases - of the Auth Pipeline. Otherwise, only the default `allow` - rule will be exposed. Returning all Rego rules can affect - performance of OPA policies during reconciliation (policy - precompile) and at runtime. + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -592,32 +529,24 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: |- + Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or application/json content-type. + In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: description: The key of the secret to select from. Must @@ -637,24 +566,23 @@ spec: type: integer type: object inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this authorization policy. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -672,11 +600,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -688,16 +614,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -706,8 +630,9 @@ spec: type: object type: array callbacks: - description: List of callback configs. Authorino sends callbacks to - specified endpoints at the end of the auth pipeline. + description: |- + List of callback configs. + Authorino sends callbacks to specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -716,10 +641,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -728,24 +653,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -758,16 +679,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -776,20 +693,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -803,23 +717,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -835,16 +746,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -853,10 +760,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -867,9 +773,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -912,10 +818,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -938,20 +844,21 @@ spec: observability metrics type: boolean name: - description: Name of the callback. It can be used to refer to - the resolved callback response in other configs. + description: |- + Name of the callback. + It can be used to refer to the resolved callback response in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to perform this callback. + description: |- + Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to - be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -969,11 +876,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -985,16 +890,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1021,15 +924,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1055,15 +955,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1080,15 +977,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1107,15 +1001,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1141,15 +1032,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1166,37 +1054,32 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object type: object hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. + description: |- + The list of public host names of the services protected by this authentication/authorization scheme. + Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. items: type: string type: array identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. + description: |- + List of identity sources/authentication modes. + At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' + description: |- + The identity source/authentication mode config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". properties: anonymous: type: object @@ -1204,10 +1087,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for API key secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1218,8 +1100,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1227,17 +1109,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1249,25 +1130,25 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity objects - for this config. + description: |- + Caching options for the identity resolved when applying this config. + Omit it to avoid caching identity objects for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1276,15 +1157,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1297,11 +1175,9 @@ spec: - key type: object credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). + description: |- + Defines where client credentials are required to be passed in the request for this identity source/authentication mode. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1315,23 +1191,18 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. + description: |- + Extends the resolved identity object with additional custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. items: properties: name: @@ -1349,15 +1220,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1367,11 +1235,9 @@ spec: kubernetes: properties: audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array @@ -1385,10 +1251,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1399,8 +1264,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1408,17 +1273,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1430,21 +1294,21 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It can be used - to refer to the resolved identity object in other configs. + description: |- + The name of this identity source/authentication mode. + It usually identifies a source of identities or group of users/clients of the protected service. + It can be used to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1454,15 +1318,19 @@ spec: server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. + description: |- + The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1472,14 +1340,10 @@ spec: oidc: properties: endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. + description: |- + Endpoint of the OIDC issuer. + Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1491,28 +1355,25 @@ spec: plain: properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson can be - used. The following string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this identity config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1530,11 +1391,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1546,16 +1405,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1564,22 +1421,23 @@ spec: type: object type: array metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. + description: |- + List of metadata source configs. + Authorino fetches JSON content from sources on this list on every request. items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' + description: |- + The metadata config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". properties: cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. + description: |- + Caching options for the external metadata fetched when applying this config. + Omit it to avoid caching metadata from this source. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1588,15 +1446,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1613,10 +1468,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1625,24 +1480,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -1655,16 +1506,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1673,20 +1520,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -1700,23 +1544,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1732,16 +1573,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1750,10 +1587,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -1764,9 +1600,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1809,10 +1645,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1835,14 +1671,15 @@ spec: observability metrics type: boolean name: - description: The name of the metadata source. It can be used - to refer to the resolved metadata object in other configs. + description: |- + The name of the metadata source. + It can be used to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1853,14 +1690,17 @@ spec: registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1879,10 +1719,10 @@ spec: - identitySource type: object when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be - applied; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to apply this metadata config. + If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. items: properties: all: @@ -1900,11 +1740,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1916,16 +1754,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1938,11 +1774,9 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1951,16 +1785,14 @@ spec: - matches type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1968,22 +1800,23 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. + description: |- + List of response configs. + Authorino gathers data from the auth pipeline to build custom responses for the client. items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' + description: |- + Dynamic response to return to the client. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". properties: cache: - description: Caching options for dynamic responses built when - applying this config. Omit it to avoid caching dynamic responses - for this config. + description: |- + Caching options for dynamic responses built when applying this config. + Omit it to avoid caching dynamic responses for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1992,15 +1825,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -2029,16 +1859,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2054,8 +1880,9 @@ spec: observability metrics type: boolean name: - description: Name of the custom response. It can be used to - refer to the resolved response object in other configs. + description: |- + Name of the custom response. + It can be used to refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -2069,29 +1896,26 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced for - all requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this custom response config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -2109,11 +1933,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -2125,32 +1947,30 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata + description: |- + How Authorino wraps the response. + Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. + description: |- + The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). + If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -2170,16 +1990,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2192,10 +2008,9 @@ spec: where = / = / = / = / = / = / Date: Mon, 26 Aug 2024 17:05:27 -0400 Subject: [PATCH 5/6] Unsure now Signed-off-by: Alex Snaps --- api/v1beta1/zz_generated.deepcopy.go | 4 ++-- api/v1beta2/zz_generated.deepcopy.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index c70bb9df..3fe74ccf 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -123,7 +122,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make(JSONPatternExpressions, len(*in)) copy(*out, *in) } diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 3647917e..29171143 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -137,7 +136,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make(PatternExpressions, len(*in)) copy(*out, *in) } From 64d1acbaabdfa4137f0e630ca26e7777da360ee4 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Tue, 27 Aug 2024 09:36:54 +0200 Subject: [PATCH 6/6] Update manifests Signed-off-by: Guilherme Cassolato --- install/manifests.yaml | 146 ----------------------------------------- install/rbac/role.yaml | 146 ----------------------------------------- 2 files changed, 292 deletions(-) diff --git a/install/manifests.yaml b/install/manifests.yaml index 84228eed..d9dd13cc 100644 --- a/install/manifests.yaml +++ b/install/manifests.yaml @@ -5029,80 +5029,6 @@ kind: ClusterRole metadata: name: authorino-manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - delete - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - authorino.kuadrant.io resources: @@ -5123,12 +5049,6 @@ rules: - get - patch - update -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - apiGroups: - coordination.k8s.io resources: @@ -5146,69 +5066,3 @@ rules: - get - list - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/finalizers - verbs: - - update -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/status - verbs: - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - create - - get - - list - - update - - watch diff --git a/install/rbac/role.yaml b/install/rbac/role.yaml index 2328df39..69520e9e 100644 --- a/install/rbac/role.yaml +++ b/install/rbac/role.yaml @@ -4,80 +4,6 @@ kind: ClusterRole metadata: name: manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - delete - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - authorino.kuadrant.io resources: @@ -98,12 +24,6 @@ rules: - get - patch - update -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - apiGroups: - coordination.k8s.io resources: @@ -121,69 +41,3 @@ rules: - get - list - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/finalizers - verbs: - - update -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/status - verbs: - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - create - - get - - list - - update - - watch