diff --git a/.github/workflows/delete-release-helm-chart.yaml b/.github/workflows/delete-release-helm-chart.yaml new file mode 100644 index 00000000..e86211eb --- /dev/null +++ b/.github/workflows/delete-release-helm-chart.yaml @@ -0,0 +1,23 @@ +# Description: This workflow is used to communicate Kuadrant helm charts repo that a release has been deleted. + +name: Delete Release Helm Chart +on: + release: + types: + - deleted +jobs: + delete_chart_release: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Parse Tag + run: | + tag=${{ github.event.release.tag_name || inputs.operatorTag }} + echo "OPERATOR_VERSION=${tag#v}" >> $GITHUB_ENV + - name: Sync deleted Helm Chart with repository + run: | + make helm-sync-package-deleted \ + VERSION=${{env.OPERATOR_VERSION}} \ + HELM_WORKFLOWS_TOKEN=${{ secrets.HELM_WORKFLOWS_TOKEN }} diff --git a/.github/workflows/release-helm-chart.yaml b/.github/workflows/release-helm-chart.yaml new file mode 100644 index 00000000..1a96281f --- /dev/null +++ b/.github/workflows/release-helm-chart.yaml @@ -0,0 +1,52 @@ +# Description: This workflow is used to release the Helm chart to the GitHub repository. The chart manifests should be already +# built with the target `helm-build` and the manifests changes already committed to the tag to be released. + +name: Release Helm Chart +on: + release: + types: + - published + workflow_dispatch: + inputs: + operatorTag: + description: Operator bundle version tag + default: v0.0.0 + type: string +jobs: + chart_release: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + fetch-depth: 0 + + - name: Package Helm Chart + run: | + make helm-package + + - name: Parse Tag + run: | + tag=${{ github.event.release.tag_name || inputs.operatorTag }} + echo "OPERATOR_VERSION=${tag#v}" >> $GITHUB_ENV + + - name: Upload package to GitHub Release + uses: svenstaro/upload-release-action@v2 + id: upload-chart + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: limitador-operator-${{ env.OPERATOR_VERSION }}.tgz + asset_name: chart-limitador-operator-${{ env.OPERATOR_VERSION }}.tgz + tag: ${{ github.ref }} + overwrite: true + + - name: Sync Helm Chart with repository + run: | + make helm-sync-package-created \ + VERSION=${{env.OPERATOR_VERSION}} \ + HELM_WORKFLOWS_TOKEN=${{ secrets.HELM_WORKFLOWS_TOKEN }} \ + BROWSER_DOWNLOAD_URL=${{ steps.upload-chart.outputs.browser_download_url }} diff --git a/Makefile b/Makefile index 086bae54..b58b0bf0 100644 --- a/Makefile +++ b/Makefile @@ -136,6 +136,23 @@ OPM = $(shell which opm) endif endif +HELM = ./bin/helm +HELM_VERSION = v3.15.0 +$(HELM): + @{ \ + set -e ;\ + mkdir -p $(dir $(HELM)) ;\ + OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ + curl -sL -o helm.tar.gz https://get.helm.sh/helm-$(HELM_VERSION)-$${OS}-$${ARCH}.tar.gz ;\ + tar -zxvf helm.tar.gz ;\ + mv $${OS}-$${ARCH}/helm $(HELM) ;\ + chmod +x $(HELM) ;\ + rm -rf $${OS}-$${ARCH} helm.tar.gz ;\ + } + +.PHONY: helm +helm: $(HELM) ## Download helm locally if necessary. + ##@ Development manifests: controller-gen kustomize authorino-manifests ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. @@ -335,3 +352,6 @@ verify-bundle: bundle $(YQ) ## Verify bundle update. .PHONY: verify-fmt verify-fmt: fmt ## Verify fmt update. git diff --exit-code ./api ./controllers + +# Include last to avoid changing MAKEFILE_LIST used above +include ./make/*.mk diff --git a/charts/authorino-operator/.helmignore b/charts/authorino-operator/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/authorino-operator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/authorino-operator/Chart.lock b/charts/authorino-operator/Chart.lock new file mode 100644 index 00000000..93efb011 --- /dev/null +++ b/charts/authorino-operator/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v1.12.1 +digest: sha256:cf2f92d263aebcba3c235c2ad2389870afdd4db489c4ac3c6ad3813621432c90 +generated: "2024-06-26T17:00:05.675481+02:00" diff --git a/charts/authorino-operator/Chart.yaml b/charts/authorino-operator/Chart.yaml new file mode 100644 index 00000000..ed215165 --- /dev/null +++ b/charts/authorino-operator/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +name: authorino-operator +description: Kubernetes operator for managing Authorino instances, a K8s-native AuthN/AuthZ service to protect your APIs. +home: https://kuadrant.io +icon: https://raw.githubusercontent.com/Kuadrant/kuadrant.github.io/main/static/img/apple-touch-icon.png +keywords: + - authorino + - authn + - authz + - authorization + - authentication + - service protection + - kubernetes + - kuadrant +sources: + - https://github.com/Kuadrant/authorino-operator/ + - https://github.com/Kuadrant/authorino/ +kubeVersion: ">=1.19.0-0" +type: application +# The version will be properly set when the chart is released matching the operator version +version: "0.0.0" +maintainers: + - email: mcassola@redhat.com + name: Guilherme Cassolato + - email: didier@redhat.com + name: Didier Di Cesare + - email: eastizle@redhat.com + name: Eguzki Astiz Lezaun diff --git a/charts/authorino-operator/templates/manifests.yaml b/charts/authorino-operator/templates/manifests.yaml new file mode 100644 index 00000000..d03f50f0 --- /dev/null +++ b/charts/authorino-operator/templates/manifests.yaml @@ -0,0 +1,6274 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: authorino-operator + name: authorino-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert + controller-gen.kubebuilder.io/version: v0.9.0 + name: authconfigs.authorino.kuadrant.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: authorino-webhooks + namespace: authorino-operator + path: /convert + conversionReviewVersions: + - v1beta1 + - v1beta2 + group: authorino.kuadrant.io + names: + kind: AuthConfig + listKind: AuthConfigList + plural: authconfigs + singular: authconfig + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Ready for all hosts + jsonPath: .status.summary.ready + name: Ready + type: string + - description: Number of hosts ready + jsonPath: .status.summary.numHostsReady + name: Hosts + type: string + - description: Number of trusted identity sources + jsonPath: .status.summary.numIdentitySources + name: Authentication + priority: 2 + type: integer + - description: Number of external metadata sources + jsonPath: .status.summary.numMetadataSources + name: Metadata + priority: 2 + type: integer + - description: Number of authorization policies + jsonPath: .status.summary.numAuthorizationPolicies + name: Authorization + priority: 2 + type: integer + - description: Number of items added to the authorization response + jsonPath: .status.summary.numResponseItems + name: Response + priority: 2 + type: integer + - description: Whether issuing Festival Wristbands + jsonPath: .status.summary.festivalWristbandEnabled + name: Wristband + priority: 2 + type: boolean + name: v1beta1 + schema: + openAPIV3Schema: + description: AuthConfig is the schema for Authorino's AuthConfig API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specifies the desired state of the AuthConfig resource, i.e. + the authencation/authorization scheme to be applied to protect the matching + service hosts. + properties: + authorization: + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. + items: + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' + oneOf: + - properties: + name: {} + opa: {} + required: + - name + - opa + - properties: + json: {} + name: {} + required: + - name + - json + - properties: + kubernetes: {} + name: {} + required: + - name + - kubernetes + - properties: + authzed: {} + name: {} + required: + - name + - authzed + properties: + authzed: + description: Authzed authorization + properties: + endpoint: + description: Endpoint of the Authzed service. + type: string + insecure: + description: Insecure HTTP connection (i.e. disables TLS + verification) + type: boolean + permission: + description: The name of the permission (or relation) on + which to execute the check. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the permission + or relation. + properties: + kind: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + type: object + required: + - endpoint + type: object + cache: + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + description: JSON pattern matching authorization policy. + properties: + rules: + description: The rules that must all evaluate to "true" + for the request to be authorized. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - rules + type: object + kubernetes: + description: Kubernetes authorization policy based on `SubjectAccessReview` + Path and Verb are inferred from the request. + properties: + groups: + description: Groups to test for. + items: + type: string + type: array + resourceAttributes: + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. + properties: + group: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + name: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + namespace: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + resource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + subresource: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + verb: + description: StaticOrDynamicValue is either a constant + static string value or a config for fetching a value + from a dynamic source (e.g. a path pattern of authorization + JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + type: object + type: object + user: + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + required: + - user + type: object + metrics: + default: false + description: Whether this authorization config should generate + individual observability metrics + type: boolean + name: + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. + type: string + opa: + description: Open Policy Agent (OPA) authorization policy. + properties: + allValues: + default: false + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. + type: boolean + externalRegistry: + description: External registry of OPA policies. + properties: + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + type: string + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + type: object + inlineRego: + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. + type: string + type: object + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + callbacks: + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. + items: + description: Endpoints to callback at the end of each auth pipeline. + properties: + http: + description: Generic HTTP interface to obtain authorization + metadata from a HTTP service. + properties: + body: + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + bodyParameters: + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + type: string + headers: + description: Custom headers in the HTTP request. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' + enum: + - GET + - POST + type: string + oauth2: + description: Authentication with the HTTP service by OAuth2 + Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kubernetes Secret key that + stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + required: + - endpoint + type: object + metrics: + default: false + description: Whether this callback config should generate individual + observability metrics + type: boolean + name: + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. + type: string + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to perform this callback. + If omitted, the callback will be attempted for all requests. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - http + - name + type: object + type: array + denyWith: + description: Custom denial response codes, statuses and headers to + override default 40x's. + properties: + unauthenticated: + description: Denial status customization when the request is unauthenticated. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + type: object + unauthorized: + description: Denial status customization when the request is unauthorized. + properties: + body: + description: HTTP response body to override the default denial + body. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + code: + description: HTTP status code to override the default denial + status code. + format: int64 + maximum: 599 + minimum: 300 + type: integer + headers: + description: HTTP response headers to override the default + denial headers. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + required: + - name + type: object + type: array + message: + description: HTTP message to override the default denial message. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + type: object + type: object + hosts: + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. + items: + type: string + type: array + identity: + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. + items: + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' + oneOf: + - properties: + credentials: {} + name: {} + oauth2: {} + required: + - name + - oauth2 + - properties: + credentials: {} + name: {} + oidc: {} + required: + - name + - oidc + - properties: + apiKey: {} + credentials: {} + name: {} + required: + - name + - apiKey + - properties: + credentials: {} + mtls: {} + name: {} + required: + - name + - mtls + - properties: + credentials: {} + kubernetes: {} + name: {} + required: + - name + - kubernetes + - properties: + anonymous: {} + credentials: {} + name: {} + required: + - name + - anonymous + - properties: + credentials: {} + name: {} + plain: {} + required: + - name + - plain + properties: + anonymous: + type: object + apiKey: + properties: + allNamespaces: + default: false + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing valid credentials to authenticate + to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + cache: + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + credentials: + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). + properties: + in: + default: authorization_header + description: The location in the request where client credentials + shall be passed on requests authenticating with this identity + source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. + type: string + required: + - keySelector + type: object + extendedProperties: + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. + items: + properties: + name: + description: The name of the JSON property + type: string + overwrite: + default: false + description: Whether the value should overwrite the value + of an existing property with the same name. + type: boolean + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + required: + - name + type: object + type: array + kubernetes: + properties: + audiences: + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this identity config should generate individual + observability metrics + type: boolean + mtls: + properties: + allNamespaces: + default: false + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match secrets + from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + name: + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. + type: string + oauth2: + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the OAuth2 + server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + tokenIntrospectionUrl: + description: The full URL of the token introspection endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - tokenIntrospectionUrl + type: object + oidc: + properties: + endpoint: + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the OIDC configuration (in seconds). + type: integer + required: + - endpoint + type: object + plain: + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + type: object + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + metadata: + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. + items: + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' + oneOf: + - properties: + name: {} + userInfo: {} + required: + - name + - userInfo + - properties: + name: {} + uma: {} + required: + - name + - uma + - properties: + http: {} + name: {} + required: + - name + - http + properties: + cache: + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Generic HTTP interface to obtain authorization + metadata from a HTTP service. + properties: + body: + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + bodyParameters: + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. + properties: + in: + default: authorization_header + description: The location in the request where client + credentials shall be passed on requests authenticating + with this identity source/authentication mode. + enum: + - authorization_header + - custom_header + - query + - cookie + type: string + keySelector: + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. + type: string + required: + - keySelector + type: object + endpoint: + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + type: string + headers: + description: Custom headers in the HTTP request. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' + enum: + - GET + - POST + type: string + oauth2: + description: Authentication with the HTTP service by OAuth2 + Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kubernetes Secret key that + stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + required: + - endpoint + type: object + metrics: + default: false + description: Whether this metadata config should generate individual + observability metrics + type: boolean + name: + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. + type: string + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + uma: + description: User-Managed Access (UMA) source of resource data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the same + namespace, that stores client credentials to the resource + registration API of the UMA server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + endpoint: + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC identity + config of this same spec. + properties: + identitySource: + description: The name of an OIDC identity source included + in the "identity" section and whose OpenID Connect configuration + discovered includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + required: + - name + type: object + type: array + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. + type: string + type: object + type: array + description: Named sets of JSON patterns that can be referred in `when` + conditionals and in JSON-pattern matching policy rules. + type: object + response: + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. + items: + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' + oneOf: + - properties: + name: {} + wristband: {} + required: + - name + - wristband + - properties: + json: {} + name: {} + required: + - name + - json + - properties: + name: {} + plain: {} + required: + - name + - plain + properties: + cache: + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. + properties: + key: + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + json: + properties: + properties: + description: List of JSON property-value pairs to be added + to the dynamic response. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + required: + - properties + type: object + metrics: + default: false + description: Whether this response config should generate individual + observability metrics + type: boolean + name: + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. + type: string + plain: + description: StaticOrDynamicValue is either a constant static + string value or a config for fetching a value from a dynamic + source (e.g. a path pattern of authorization JSON) + properties: + value: + description: Static value + type: string + valueFrom: + description: Dynamic value + properties: + authJSON: + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + type: object + type: object + priority: + default: 0 + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. + items: + oneOf: + - properties: + patternRef: {} + required: + - patternRef + - properties: + operator: {} + selector: {} + value: {} + required: + - operator + - selector + - properties: + all: {} + required: + - all + - properties: + any: {} + required: + - any + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Name of a named pattern + type: string + selector: + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + wrapper: + default: httpHeader + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata + enum: + - httpHeader + - envoyDynamicMetadata + type: string + wrapperKey: + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. + type: string + wristband: + properties: + customClaims: + description: Any claims to be added to the wristband token + apart from the standard JWT claims (iss, iat, exp) added + by default. + items: + properties: + name: + description: The name of the JSON property + type: string + value: + description: Static value of the JSON property + x-kubernetes-preserve-unknown-fields: true + valueFrom: + description: Dynamic value of the JSON property + properties: + authJSON: + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' + type: string + type: object + required: + - name + type: object + type: array + issuer: + description: 'The endpoint to the Authorino service that + issues the wristband (format: ://:/, + where = /://:/, + where = /://:/, + where = / charts/authorino-operator/templates/manifests.yaml + V="$(BUNDLE_VERSION)" $(YQ) -i e '.version = strenv(V)' charts/authorino-operator/Chart.yaml + +.PHONY: helm-install +helm-install: $(HELM) ## Install the helm chart + # Install the helm chart in the cluster + $(HELM) install $(REPO) charts/$(REPO) + +.PHONY: helm-uninstall +helm-uninstall: $(HELM) ## Uninstall the helm chart + # Uninstall the helm chart from the cluster + $(HELM) uninstall $(REPO) + +.PHONY: helm-upgrade +helm-upgrade: $(HELM) ## Upgrade the helm chart + # Upgrade the helm chart in the cluster + $(HELM) upgrade $(REPO) charts/$(REPO) + +.PHONY: helm-package +helm-package: $(HELM) ## Package the helm chart + # Package the helm chart + $(HELM) package charts/$(REPO) + +# GitHub Token with permissions to upload to the release assets +HELM_WORKFLOWS_TOKEN ?= +# GitHub Release Asset Browser Download URL, it can be find in the output of the uploaded asset +BROWSER_DOWNLOAD_URL ?= +# Github repo name for the helm charts repository +HELM_REPO_NAME ?= helm-charts + +CHART_VERSION ?= $(BUNDLE_VERSION) + +.PHONY: helm-sync-package-created +helm-sync-package-created: ## Sync the helm chart package to the helm-charts repo + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $(HELM_WORKFLOWS_TOKEN)" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/$(ORG)/$(HELM_REPO_NAME)/dispatches \ + -d '{"event_type":"chart-created","client_payload":{"chart":"$(REPO)","version":"$(CHART_VERSION)", "browser_download_url": "$(BROWSER_DOWNLOAD_URL)"}}' + +.PHONY: helm-sync-package-deleted +helm-sync-package-deleted: ## Sync the deleted helm chart package to the helm-charts repo + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $(HELM_WORKFLOWS_TOKEN)" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/$(ORG)/$(HELM_REPO_NAME)/dispatches \ + -d '{"event_type":"chart-deleted","client_payload":{"chart":"$(REPO)","version":"$(CHART_VERSION)"}}'