From de7a5a355b36903def8f4cea7fa5ae654a30ece9 Mon Sep 17 00:00:00 2001 From: dd di cesare Date: Wed, 6 Dec 2023 15:08:49 +0100 Subject: [PATCH] Kuadrant operator bundle v0.5.0 Signed-off-by: dd di cesare --- .../kuadrant-operator/0.5.0/bundle.Dockerfile | 21 + ...er-manager-metrics-service_v1_service.yaml | 18 + ...-operator-manager-config_v1_configmap.yaml | 19 + ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 + ...adrant-operator.clusterserviceversion.yaml | 512 ++ .../manifests/kuadrant.io_authpolicies.yaml | 4681 +++++++++++++++++ .../manifests/kuadrant.io_kuadrants.yaml | 132 + .../kuadrant.io_ratelimitpolicies.yaml | 527 ++ .../0.5.0/metadata/annotations.yaml | 15 + .../0.5.0/metadata/dependencies.yaml | 9 + .../0.5.0/tests/scorecard/config.yaml | 70 + 11 files changed, 6014 insertions(+) create mode 100644 operators/kuadrant-operator/0.5.0/bundle.Dockerfile create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-controller-manager-metrics-service_v1_service.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-manager-config_v1_configmap.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator.clusterserviceversion.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_authpolicies.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_kuadrants.yaml create mode 100644 operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_ratelimitpolicies.yaml create mode 100644 operators/kuadrant-operator/0.5.0/metadata/annotations.yaml create mode 100644 operators/kuadrant-operator/0.5.0/metadata/dependencies.yaml create mode 100644 operators/kuadrant-operator/0.5.0/tests/scorecard/config.yaml diff --git a/operators/kuadrant-operator/0.5.0/bundle.Dockerfile b/operators/kuadrant-operator/0.5.0/bundle.Dockerfile new file mode 100644 index 00000000000..53a1d199d78 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=kuadrant-operator +LABEL operators.operatorframework.io.bundle.channels.v1=stable +LABEL operators.operatorframework.io.bundle.channel.default.v1=stable +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY manifests /manifests/ +COPY metadata /metadata/ +COPY tests/scorecard /tests/scorecard/ diff --git a/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-controller-manager-metrics-service_v1_service.yaml b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-controller-manager-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..ce471966fc5 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-controller-manager-metrics-service_v1_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: kuadrant + control-plane: controller-manager + name: kuadrant-operator-controller-manager-metrics-service +spec: + ports: + - name: metrics + port: 8080 + targetPort: metrics + selector: + app: kuadrant + control-plane: controller-manager +status: + loadBalancer: {} diff --git a/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-manager-config_v1_configmap.yaml b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-manager-config_v1_configmap.yaml new file mode 100644 index 00000000000..5f82cb314c0 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-manager-config_v1_configmap.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: :8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: f139389e.kuadrant.io +kind: ConfigMap +metadata: + labels: + app: kuadrant + name: kuadrant-operator-manager-config diff --git a/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..f4998b8da54 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: kuadrant-operator-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator.clusterserviceversion.yaml b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator.clusterserviceversion.yaml new file mode 100644 index 00000000000..3b967f35f47 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -0,0 +1,512 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "kuadrant.io/v1beta1", + "kind": "Kuadrant", + "metadata": { + "name": "kuadrant-sample" + }, + "spec": {} + }, + { + "apiVersion": "kuadrant.io/v1beta2", + "kind": "AuthPolicy", + "metadata": { + "name": "toystore" + }, + "spec": { + "rules": { + "authentication": { + "apikey": { + "apiKey": { + "selector": {} + } + }, + "credentials": { + "authorizationHeader": { + "prefix": "APIKEY" + } + } + } + }, + "targetRef": { + "group": "gateway.networking.k8s.io", + "kind": "HTTPRoute", + "name": "toystore" + } + } + }, + { + "apiVersion": "kuadrant.io/v1beta2", + "kind": "RateLimitPolicy", + "metadata": { + "name": "toystore" + }, + "spec": { + "limits": { + "toys": { + "rates": [ + { + "duration": 1, + "limit": 50, + "unit": "minute" + } + ] + } + }, + "targetRef": { + "group": "gateway.networking.k8s.io", + "kind": "HTTPRoute", + "name": "toystore" + } + } + } + ] + capabilities: Basic Install + categories: Integration & Delivery + containerImage: quay.io/kuadrant/kuadrant-operator:v0.5.0 + createdAt: "2023-11-30T15:31:27Z" + operators.operatorframework.io/builder: operator-sdk-v1.32.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + repository: https://github.com/Kuadrant/kuadrant-operator + support: kuadrant + name: kuadrant-operator.v0.5.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: AuthPolicy enables authentication and authorization for service + workloads in a Gateway API network + displayName: AuthPolicy + kind: AuthPolicy + name: authpolicies.kuadrant.io + version: v1beta2 + - description: Kuadrant configures installations of Kuadrant Service Protection + components + displayName: Kuadrant + kind: Kuadrant + name: kuadrants.kuadrant.io + version: v1beta1 + - description: RateLimitPolicy enables rate limiting for service workloads in + a Gateway API network + displayName: RateLimitPolicy + kind: RateLimitPolicy + name: ratelimitpolicies.kuadrant.io + version: v1beta2 + description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system + displayName: Kuadrant Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAIAAAAiOjnJAAAHCklEQVR4nOzc72tWdQPH8e+tm/ecXGNO77mb3beZLgtkDxpCgT4IBBFqJT1YRqFS5oMS/BG5ioqhUc3IFKwHpqHSg9qDsCwIQeiBQoEotISyzcwa6bI5Nlyms8X4Lp1u1zzXub6f8/2ea+/XH3DO58GbXeec69opGhgYMIBrE3wPQGEiLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBR5HtAJI89uqytvT2fI2zetHnxkiXuFgn1d3eead44s3FLUXml7y3xpSOstvb24998m88Rurq63M0R6u/uPPlkw6VjZy+dbJi7uyW9bfFRGJBrVRljLh07++Mrz/heFB9hhWJ4VVbvgdZTL6z0Oio+wgrCyKqs7g+/+mX7855G5YWw/MtWldW5bf/5lh2Jj8oXYXk2dlVWR/POvtbDCY5ygLB8ilKVMeZq1+X2Dev7uzuT2uUAYXkTsSrrSltv+/o0XcgTlh85VWVd/PLUufdfU45yibA8iFGV1bF5X1outggraX2th+NVZZ1uesn1IgnCSlRf6+EfVj4duyr7RD4VT7YIKzm2qqtdl/M8Tue2/X/+dMLRKBXCSoirqqzTTc85OY4OYSXBbVX2DrH7iw9cHU2BsOScV2X9/NZ2twd0i7C0RFXZR6Yhf4dIWEK6qqyO5p3Bfs9DWCrqqux3iGf3btUdPx+EJZFAVdaFzw6pTxEPYbmXWFUhX2kRlmNJVmX9+t7exM4VHWG5lHxV9o9Wz5EDSZ4xCsJyxktV1rmP9iV/0rERlhseq7L/zxPacwfCcsBvVdbvH+/yePaRCCtfIVQ1GNbnB/0OuAlh5SWQquzvtIL6LQ1hxRdOVVb3oU98T7iOsGIKrarQPg0JK44Aq7KfhuHcGxJWzsKsyuo+2OJ7whDCyk3IVRljeo4f9T1hCGHl4HzLju8eXBVsVcaYi0dDuTEkrKjOt+w40xji7wiGu9LWG8hlFmFFkoqqrL4TX/ueYAgrkhRVNXiZdfSI7wmGsG4tXVUZY/7I7/XSrhDWWFJX1eBlVsdvvicYwhpLGquyj0l9TzCElVVKq7JCeNURYY0i1VUZY/p7LvieQFgjpL2qwev371t9TyCsGxVAVYPX7709vicQ1jCFUVUgCGtIIVUVwqMswjIFVpUx5q/ei74nEFbBVRWI8R4WVYmM67CoSmdchwWdcR3W9IY1M5vX+F5RmMZ1WLSlM97Doi0RwjKF19aEzBTfEwjrH4XU1uQ5c3xPIKxhCqkt7wjrBoXRVnGmzPcEwhqhANqafGet7wmENZq0t1VUNtX3BMLKItVtldYu9D2BsLJLaVsldVW+JxjCuoU0tlVc/R/fEwxh3Vrq2grhIRZhRZKutsrmL/A9wRBWVClqq3TePb4nGMLKQSraKq7JFJVX+l5hCCs30xvW3PXprokVk3wPyWrK/Hm+JwwhrNyU1i68Y8+7wbZVdvd83xOGEFbOQm6rfHGD7wlDCCuOMNsqqasK5AKLsOILsK1p9y/2PeE6woovtLbKFz3ke8J1hJWXcNoqqav6922h3BISlgOBtBXU5yBhuRFCW9MeXuXx7CMRlht+28rU14ZzP2gRljMe25rxyPLkTzo2wnLJS1vFNZmyBfVJnjEKwnIs+bb++9SKxM4VHWG5l2RbxTWZ6Q0h/uaCsCQSa2vqA4vUp4iHsFQSaGtixaSqFRt0x88HYQmp26puXB3aU4ZrCEtL11awV1cWYcmJ2vr/s2vdHtAtwkqC87am3De7fMnjro6mQFgJcdvWrKY3nRxHh7CS46qtynVLg/qFzKgIK1G2rXxer1BSV/W/tW84HSVBWEkrrV04d3dL7LZmNb3qepEEYXlQVF4Zr63ql5eH8IqiKAjLjxhtZeprZzzxonKUS4TlTU5tFddkbt/0jn6UM4TlU8S2JlZMmrP17WC/vRkVYXkWpa3qxtVpubS6hrD8G7utynVLQ/5OMBvCCkK2tsqX3ZuKp1YjEVYoRraVqa+d/foer6PiI6yADG+rpK4qXbeBNynyPSCSmrxf2FpRUeFoi5Zt60zzxpmNW9J1G3iTfw0MDPjegALERyEkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxIEBYkCAsShAUJwoIEYUGCsCBBWJAgLEgQFiQICxKEBQnCggRhQYKwIEFYkCAsSBAWJAgLEoQFCcKCBGFBgrAgQViQICxI/B0AAP//uLJ9vDn6iowAAAAASUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - authorino.kuadrant.io + resources: + - authconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - extensions.istio.io + resources: + - wasmplugins + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - install.istio.io + resources: + - istiooperators + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - authpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - authpolicies/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - authpolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - kuadrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - kuadrants/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - kuadrants/status + verbs: + - get + - patch + - update + - apiGroups: + - kuadrant.io + resources: + - ratelimitpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kuadrant.io + resources: + - ratelimitpolicies/finalizers + verbs: + - update + - apiGroups: + - kuadrant.io + resources: + - ratelimitpolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - limitador.kuadrant.io + resources: + - limitadors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - maistra.io + resources: + - servicemeshcontrolplanes + verbs: + - get + - list + - patch + - update + - use + - watch + - apiGroups: + - maistra.io + resources: + - servicemeshmembers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.authorino.kuadrant.io + resources: + - authorinos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + serviceAccountName: kuadrant-operator-controller-manager + deployments: + - label: + app: kuadrant + control-plane: controller-manager + name: kuadrant-operator-controller-manager + spec: + replicas: 1 + selector: + matchLabels: + app: kuadrant + control-plane: controller-manager + strategy: {} + template: + metadata: + labels: + app: kuadrant + control-plane: controller-manager + spec: + containers: + - args: + - --leader-elect + command: + - /manager + env: + - name: RELATED_IMAGE_WASMSHIM + value: oci://quay.io/kuadrant/wasm-shim:v0.3.0 + image: quay.io/kuadrant/kuadrant-operator:v0.5.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 8080 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 200m + memory: 300Mi + requests: + cpu: 200m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + serviceAccountName: kuadrant-operator-controller-manager + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: kuadrant-operator-controller-manager + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - api + - api-management + - Kuadrant + - kubernetes + - openshift + - cloud-service-protection + - rate-limiting + - authentication + - authorization + links: + - name: Kuadrant Operator + url: https://github.com/Kuadrant/kuadrant-operator + - name: Kuadrant Docs + url: https://kuadrant.io + maintainers: + - email: eastizle@redhat.com + name: Eguzki Astiz Lezaun + - email: mcassola@redhat.com + name: Guilherme Cassolato + - email: didier@redhat.com + name: Didier Di Cesare + maturity: alpha + minKubeVersion: 1.8.0 + provider: + name: Red Hat + url: https://github.com/Kuadrant/kuadrant-operator + relatedImages: + - image: oci://quay.io/kuadrant/wasm-shim:v0.3.0 + name: wasmshim + replaces: kuadrant-operator.v0.4.1 + version: 0.5.0 diff --git a/operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_authpolicies.yaml b/operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_authpolicies.yaml new file mode 100644 index 00000000000..344868cc555 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/manifests/kuadrant.io_authpolicies.yaml @@ -0,0 +1,4681 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + creationTimestamp: null + labels: + app: kuadrant + gateway.networking.k8s.io/policy: direct + name: authpolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: AuthPolicy + listKind: AuthPolicyList + plural: authpolicies + singular: authpolicy + scope: Namespaced + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + description: AuthPolicy enables authentication and authorization for service + workloads in a Gateway API network + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers are also + supported. + type: string + value: + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. + type: string + type: object + type: array + description: Named sets of patterns that can be referred in `when` + conditions and in pattern-matching authorization policy rules. + type: object + routeSelectors: + description: Top-level route selectors. If present, the elements will + be used to select HTTPRoute rules that, when activated, trigger + the external authorization service. At least one selected HTTPRoute + rule must match to trigger the AuthPolicy. If no route selectors + are specified, the AuthPolicy will be enforced at all requests to + the protected routes. + items: + description: RouteSelector defines semantics for matching an HTTP + request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that should + match against the HTTP Host header to select a HTTPRoute to + process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain name + of a network host. This matches the RFC 1123 definition + of a hostname with 2 notable exceptions: \n 1. IPs are not + allowed. 2. A hostname may be prefixed with a wildcard label + (`*.`). The wildcard label must appear by itself as the + first label. \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network host (e.g. + \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters or '-', and + must start and end with an alphanumeric character. No other + punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching the + rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + rules: + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. + properties: + authentication: + additionalProperties: + properties: + anonymous: + description: Anonymous access. + type: object + apiKey: + description: Authentication based on API keys stored in + Kubernetes secrets. + properties: + allNamespaces: + default: false + description: Whether Authorino should look for API key + secrets in all namespaces or only in the same namespace + as the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing valid credentials + to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + credentials: + description: Defines where credentials are required to be + passed in the request for authentication based on this + config. If omitted, it defaults to credentials passed + in the HTTP Authorization header and the "Bearer" prefix + prepended to the secret credential value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + defaults: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Set default property values (claims) for the + resolved identity object, that are set before appending + the object to the authorization JSON. If the property + is already present in the resolved identity object, the + default value is ignored. It requires the resolved identity + object to always be a JSON object. Do not use this option + with identity objects of other JSON types (array, string, + etc). + type: object + jwt: + description: Authentication based on JWT tokens. + properties: + issuerUrl: + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to the + OpenID Connect Well-Known Discovery endpoint (i.e. + "/.well-known/openid-configuration") to this URL, + to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. The value must coincide + with the value of the "iss" (issuer) claim of the + discovered OpenID Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. + type: integer + type: object + kubernetesTokenReview: + description: Authentication by Kubernetes token review. + properties: + audiences: + description: The list of audiences (scopes) that must + be claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name + of the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + oauth2Introspection: + description: Authentication by OAuth2 token introspection. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the OAuth2 server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: The full URL of the token introspection + endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - endpoint + type: object + overrides: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Overrides the resolved identity object by setting + the additional properties (claims) specified in this config, + before appending the object to the authorization JSON. + It requires the resolved identity object to always be + a JSON object. Do not use this option with identity objects + of other JSON types (array, string, etc). + type: object + plain: + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve to + patterns (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + required: + - selector + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + routeSelectors: + description: Top-level route selectors. If present, the + elements will be used to select HTTPRoute rules that, + when activated, trigger the auth rule. At least one selected + HTTPRoute rule must match to trigger the auth rule. If + no route selectors are specified, the auth rule will be + evaluated at all requests to the protected routes. + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate + used to match requests to a given action. Multiple + match types are ANDed together, i.e. the match + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match + against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and + start with '/' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : true' + - message: must not contain '//' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : true' + - message: must not contain '/./' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') : true' + - message: must not contain '/../' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') : true' + - message: must not contain '%2f' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') : true' + - message: must not contain '%2F' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') : true' + - message: must not contain '#' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : true' + - message: must not end with '/..' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') : true' + - message: must not end with '/.' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] + || self.type == 'RegularExpression' + - message: must only contain valid characters + (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + x509: + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed + by a trusted CA whose certificates are stored in Kubernetes + secrets. + properties: + allNamespaces: + default: false + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as + the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing trusted CA certificates + to validate clients trying to authenticate to this + service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request to + be successful. + maxProperties: 14 + type: object + authorization: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + kubernetesSubjectAccessReview: + description: Authorization by Kubernetes SubjectAccessReview + properties: + groups: + description: Groups the user must be a member of or, + if `user` is omitted, the groups to check for authorization + in the Kubernetes RBAC. + items: + type: string + type: array + resourceAttributes: + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs a + non-resource SubjectAccessReview, with verb and path + inferred from the request. + properties: + group: + description: API group of the resource. Use '*' + for all API groups. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + description: Resource name Omit it to check for + authorization on all resources of the specified + kind. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + namespace: + description: Namespace where the user must have + permissions on the resource. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: Resource kind Use '*' for all resource + kinds. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + subresource: + description: Subresource kind + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + verb: + description: Verb to check for authorization on + the resource. Use '*' for all verbs. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + user: + description: User to check for authorization in the + Kubernetes RBAC. Omit it to check for group authorization + only. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + opa: + description: Open Policy Agent (OPA) Rego policy. + properties: + allValues: + default: false + description: Returns the value of all Rego rules in + the virtual document. Values can be read in subsequent + evaluators/phases of the Auth Pipeline. Otherwise, + only the default `allow` rule will be exposed. Returning + all Rego rules can affect performance of OPA policies + during reconciliation (policy precompile) and at runtime. + type: boolean + externalPolicy: + description: 'Settings for fetching the OPA policy from + an external registry. Use it alternatively to ''rego''. + For the configurations of the HTTP request, the following + options are not implemented: ''method'', ''body'', + ''bodyParameters'', ''contentType'', ''headers'', + ''oauth2''. Use it only with: ''url'', ''sharedSecret'', + ''credentials''.' + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + url: + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + rego: + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). The + Rego document must NOT include the "package" declaration + in line 1. + type: string + type: object + patternMatching: + description: Pattern-matching authorization rules. + properties: + patterns: + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - patterns + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + routeSelectors: + description: Top-level route selectors. If present, the + elements will be used to select HTTPRoute rules that, + when activated, trigger the auth rule. At least one selected + HTTPRoute rule must match to trigger the auth rule. If + no route selectors are specified, the auth rule will be + evaluated at all requests to the protected routes. + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate + used to match requests to a given action. Multiple + match types are ANDed together, i.e. the match + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match + against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and + start with '/' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : true' + - message: must not contain '//' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : true' + - message: must not contain '/./' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') : true' + - message: must not contain '/../' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') : true' + - message: must not contain '%2f' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') : true' + - message: must not contain '%2F' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') : true' + - message: must not contain '#' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : true' + - message: must not end with '/..' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') : true' + - message: must not end with '/.' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] + || self.type == 'RegularExpression' + - message: must only contain valid characters + (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + spicedb: + description: Authorization decision delegated to external + Authzed/SpiceDB server. + properties: + endpoint: + description: Hostname and port number to the GRPC interface + of the SpiceDB server (e.g. spicedb:50051). + type: string + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + permission: + description: The name of the permission (or relation) + on which to execute the check. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the + permission or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - endpoint + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. + maxProperties: 14 + type: object + callbacks: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Settings of the external HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + routeSelectors: + description: Top-level route selectors. If present, the + elements will be used to select HTTPRoute rules that, + when activated, trigger the auth rule. At least one selected + HTTPRoute rule must match to trigger the auth rule. If + no route selectors are specified, the auth rule will be + evaluated at all requests to the protected routes. + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate + used to match requests to a given action. Multiple + match types are ANDed together, i.e. the match + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match + against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and + start with '/' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : true' + - message: must not contain '//' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : true' + - message: must not contain '/./' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') : true' + - message: must not contain '/../' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') : true' + - message: must not contain '%2f' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') : true' + - message: must not contain '%2F' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') : true' + - message: must not contain '#' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : true' + - message: must not end with '/..' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') : true' + - message: must not end with '/.' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] + || self.type == 'RegularExpression' + - message: must only contain valid characters + (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - http + type: object + description: Callback functions. Authorino sends callbacks at + the end of the auth pipeline to the endpoints specified in this + config. + maxProperties: 14 + type: object + metadata: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: External source of auth metadata via HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + routeSelectors: + description: Top-level route selectors. If present, the + elements will be used to select HTTPRoute rules that, + when activated, trigger the auth rule. At least one selected + HTTPRoute rule must match to trigger the auth rule. If + no route selectors are specified, the auth rule will be + evaluated at all requests to the protected routes. + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate + used to match requests to a given action. Multiple + match types are ANDed together, i.e. the match + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match + against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and + start with '/' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : true' + - message: must not contain '//' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : true' + - message: must not contain '/./' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') : true' + - message: must not contain '/../' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') : true' + - message: must not contain '%2f' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') : true' + - message: must not contain '%2F' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') : true' + - message: must not contain '#' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : true' + - message: must not end with '/..' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') : true' + - message: must not end with '/.' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] + || self.type == 'RegularExpression' + - message: must only contain valid characters + (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP + query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + uma: + description: User-Managed Access (UMA) source of resource + data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the resource registration API of the UMA server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: The endpoint of the UMA server. The value + must coincide with the "issuer" claim of the UMA config + discovered from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC + authentication config specified in this same AuthConfig. + properties: + identitySource: + description: The name of an OIDC-enabled JWT authentication + config whose OpenID Connect configuration discovered + includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to be evaluated + as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to be evaluated + as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. + maxProperties: 14 + type: object + response: + description: Response items. Authorino builds custom responses + to the client of the auth request. + properties: + success: + description: Response items to be included in the auth response + when the request is authenticated and authorized. For integration + of Authorino via proxy, the proxy must use these settings + to propagate dynamic metadata and/or inject data in the + request. + properties: + dynamicMetadata: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object + returned when applying this config. Omit it to + avoid caching objects for this config. + properties: + key: + description: Key used to store the entry in + the cache. The resolved key must be unique + within the scope of this particular config. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from + the source. + type: integer + required: + - key + type: object + json: + description: JSON object Specify it as the list + of properties of the object, whose values can + combine static values and values selected from + the authorization JSON. + properties: + properties: + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - properties + type: object + key: + description: The key used to add the custom response + item (name of the HTTP header or root property + of the Dynamic Metadata object). If omitted, it + will be set to the name of the response config. + type: string + metrics: + default: false + description: Whether this config should generate + individual observability metrics + type: boolean + plain: + description: Plain text content + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + priority: + default: 0 + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. + type: integer + routeSelectors: + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute + rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match + to trigger the auth rule. If no route selectors + are specified, the auth rule will be evaluated + at all requests to the protected routes. + items: + description: RouteSelector defines semantics for + matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname + that should match against the HTTP Host + header to select a HTTPRoute to process + the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are + not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard + label must appear by itself as the first + label. \n Hostname can be \"precise\" + which is a domain name without the terminating + dot of a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain name + prefixed with a single wildcard label + (e.g. `*.example.com`). \n Note that as + per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an + alphanumeric character. No other punctuation + is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used + for matching the rule against incoming HTTP + requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the + predicate used to match requests to a + given action. Multiple match types are + ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. + \n For example, the match below will match + a HTTP request only if its path starts + with `/foo` AND it contains the `version: + v1` header: \n ``` match: \n path: value: + \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP + request header matchers. Multiple + match values are ANDed together, meaning, + a request must match all the specified + headers to select the route. + items: + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. + properties: + name: + description: "Name is the name + of the HTTP Header to be matched. + Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify + equivalent header names, only + the first entry with an equivalent + name MUST be considered for + a match. Subsequent entries + with an equivalent header name + MUST be ignored. Due to the + case-insensitivity of header + names, \"foo\" and \"Foo\" are + considered equivalent. \n When + a header is repeated in an HTTP + request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow + the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling + for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how + to match against the value of + the header. \n Support: Core + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since + RegularExpression HeaderMatchType + has implementation-specific + conformance, implementations + can support POSIX, PCRE or any + other dialects of regular expressions. + Please read the implementation's + documentation to determine the + supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value + of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP + method matcher. When specified, this + route will be matched only if the + request has the specified method. + \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request + path matcher. If this field is not + specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how + to match against the path Value. + \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific + (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path + to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute + path and start with '/' when type + one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : + true' + - message: must not contain '//' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : + true' + - message: must not contain '/./' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : + true' + - message: must not end with '/..' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when + type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : + true' + - message: type must be one of ['Exact', + 'PathPrefix', 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] + || self.type == 'RegularExpression' + - message: must only contain valid characters + (matching ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies + HTTP query parameter matchers. Multiple + match values are ANDed together, meaning, + a request must match all the specified + query parameters to select the route. + \n Support: Extended" + items: + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. + properties: + name: + description: "Name is the name + of the HTTP query param to be + matched. This must be an exact + string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify + equivalent query param names, + only the first entry with an + equivalent name MUST be considered + for a match. Subsequent entries + with an equivalent query param + name MUST be ignored. \n If + a query param is repeated in + an HTTP request, the behavior + is purposely left undefined, + since different data planes + have different capabilities. + However, it is *recommended* + that implementations should + match against the first value + of the param if the data plane + supports it, as this behavior + is expected in other load balancing + contexts outside of the Gateway + API. \n Users SHOULD NOT route + traffic based on repeated query + params to guard themselves against + potential differences in the + implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how + to match against the value of + the query parameter. \n Support: + Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific + conformance, implementations + can support POSIX, PCRE or any + other dialects of regular expressions. + Please read the implementation's + documentation to determine the + supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value + of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + when: + description: Conditions for Authorino to enforce + this config. If omitted, the config will be enforced + for all requests. If present, all conditions must + match for the config to be enforced; otherwise, + the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions + to be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions + to be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. + type: string + value: + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. + type: string + type: object + type: array + wristband: + description: Authorino Festival Wristband token + properties: + customClaims: + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Any claims to be added to the wristband + token apart from the standard JWT claims (iss, + iat, exp) added by default. + type: object + issuer: + description: 'The endpoint to the Authorino + service that issues the wristband (format: + ://:/, where + = /://:/, where + = / The path portion of the URL' + maxLength: 253 + minLength: 1 + type: string + type: array + rates: + description: Rates holds the list of limit rates + items: + description: Rate defines the actual rate limit that will + be used when there is a match + properties: + duration: + description: Duration defines the time period for which + the Limit specified above applies. + type: integer + limit: + description: Limit defines the max value allowed for a + given period of time + type: integer + unit: + description: 'Duration defines the time uni Possible values + are: "second", "minute", "hour", "day"' + enum: + - second + - minute + - hour + - day + type: string + required: + - duration + - limit + - unit + type: object + type: array + routeSelectors: + description: RouteSelectors defines semantics for matching an + HTTP request based on conditions + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + hostnames: + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label must + appear by itself as the first label. \n Hostname can + be \"precise\" which is a domain name without the + terminating dot of a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain name prefixed with + a single wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters or '-', + and must start and end with an alphanumeric character. + No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: array + matches: + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + items: + description: "HTTPRouteMatch defines the predicate used + to match requests to a given action. Multiple match + types are ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. \n For + example, the match below will match a HTTP request + only if its path starts with `/foo` AND it contains + the `version: v1` header: \n ``` match: \n path: value: + \"/foo\" headers: - name: \"version\" value \"v1\" + \n ```" + properties: + headers: + description: Headers specifies HTTP request header + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + headers to select the route. + items: + description: HTTPHeaderMatch describes how to + select a HTTP route by matching HTTP request + headers. + properties: + name: + description: "Name is the name of the HTTP + Header to be matched. Name matching MUST + be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the + case-insensitivity of header names, \"foo\" + and \"Foo\" are considered equivalent. \n + When a header is repeated in an HTTP request, + it is implementation-specific behavior as + to how this is represented. Generally, proxies + should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the header. \n Support: + Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. + When specified, this route will be matched only + if the request has the specified method. \n Support: + Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path + matcher. If this field is not specified, a default + prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match + against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start + with '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.startsWith(''/'') : true' + - message: must not contain '//' when type one of + ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''//'') : true' + - message: must not contain '/./' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/./'') : true' + - message: must not contain '/../' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''/../'') : true' + - message: must not contain '%2f' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2f'') : true' + - message: must not contain '%2F' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''%2F'') : true' + - message: must not contain '#' when type one of + ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.contains(''#'') : true' + - message: must not end with '/..' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/..'') : true' + - message: must not end with '/.' when type one + of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? !self.value.endsWith(''/.'') : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) + ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n Support: + Extended" + items: + description: HTTPQueryParamMatch describes how + to select a HTTP route by matching HTTP query + parameters. + properties: + name: + description: "Name is the name of the HTTP + query param to be matched. This must be + an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with an + equivalent query param name MUST be ignored. + \n If a query param is repeated in an HTTP + request, the behavior is purposely left + undefined, since different data planes have + different capabilities. However, it is *recommended* + that implementations should match against + the first value of the param if the data + plane supports it, as this behavior is expected + in other load balancing contexts outside + of the Gateway API. \n Users SHOULD NOT + route traffic based on repeated query params + to guard themselves against potential differences + in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query + param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 15 + type: array + when: + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route selectors + must also match + items: + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the selector Possible values are: + "eq" (equal to), "neq" (not equal to)' + enum: + - eq + - neq + - startswith + - endswith + - incl + - excl + - matches + type: string + selector: + description: Selector defines one item from the well known + selectors TODO Document properly "Well-known selector" + https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + maxLength: 253 + minLength: 1 + type: string + value: + description: The value of reference for the comparison. + type: string + required: + - operator + - selector + - value + type: object + type: array + type: object + description: Limits holds the struct of limits indexed by a unique + name + maxProperties: 14 + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy + properties: + conditions: + description: 'Represents the observations of a foo''s current state. + Known .status.conditions.type are: "Available"' + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: ObservedGeneration reflects the generation of the most + recently observed spec. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/kuadrant-operator/0.5.0/metadata/annotations.yaml b/operators/kuadrant-operator/0.5.0/metadata/annotations.yaml new file mode 100644 index 00000000000..b7f71e4d44f --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: kuadrant-operator + operators.operatorframework.io.bundle.channels.v1: stable + operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/kuadrant-operator/0.5.0/metadata/dependencies.yaml b/operators/kuadrant-operator/0.5.0/metadata/dependencies.yaml new file mode 100644 index 00000000000..07079db22f8 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/metadata/dependencies.yaml @@ -0,0 +1,9 @@ +dependencies: + - type: olm.package + value: + packageName: authorino-operator + version: "0.10.0" + - type: olm.package + value: + packageName: limitador-operator + version: "0.7.0" diff --git a/operators/kuadrant-operator/0.5.0/tests/scorecard/config.yaml b/operators/kuadrant-operator/0.5.0/tests/scorecard/config.yaml new file mode 100644 index 00000000000..14c9f7c3919 --- /dev/null +++ b/operators/kuadrant-operator/0.5.0/tests/scorecard/config.yaml @@ -0,0 +1,70 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-crds-have-resources-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.15.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}