From 5d8e9197a884d229399d16791a778ea85e96aadc Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Mon, 28 Feb 2022 15:45:23 +0100 Subject: [PATCH 1/4] kuadrant-controller main ref from main branch --- Makefile | 4 +- kuadrantmanifests/autogenerated/kuadrant.yaml | 504 +++++------------- 2 files changed, 135 insertions(+), 373 deletions(-) diff --git a/Makefile b/Makefile index c54d551..1219e5f 100644 --- a/Makefile +++ b/Makefile @@ -71,8 +71,8 @@ istio-manifest-update-test: generate-istio-manifests [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./istiomanifests/autogenerated)" ] # Generates kuadrant manifests. -KUADRANTVERSION=v0.2.1 -KUADRANT_CONTROLLER_IMAGE=quay.io/3scale/kuadrant-controller:$(KUADRANTVERSION) +KUADRANTVERSION=main +KUADRANT_CONTROLLER_IMAGE=quay.io/kuadrant/kuadrant-controller:$(KUADRANTVERSION) .PHONY: generate-kuadrant-manifests generate-kuadrant-manifests: $(eval TMP := $(shell mktemp -d)) diff --git a/kuadrantmanifests/autogenerated/kuadrant.yaml b/kuadrantmanifests/autogenerated/kuadrant.yaml index 96e5f1e..1cd7dc2 100644 --- a/kuadrantmanifests/autogenerated/kuadrant.yaml +++ b/kuadrantmanifests/autogenerated/kuadrant.yaml @@ -14,20 +14,20 @@ metadata: creationTimestamp: null labels: app: kuadrant - name: apiproducts.networking.kuadrant.io + name: ratelimitpolicies.apim.kuadrant.io spec: - group: networking.kuadrant.io + group: apim.kuadrant.io names: - kind: APIProduct - listKind: APIProductList - plural: apiproducts - singular: apiproduct + kind: RateLimitPolicy + listKind: RateLimitPolicyList + plural: ratelimitpolicies + singular: ratelimitpolicy scope: Namespaced versions: - - name: v1beta1 + - name: v1alpha1 schema: openAPIV3Schema: - description: APIProduct is the Schema for the apiproducts API + description: RateLimitPolicy is the Schema for the ratelimitpolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' @@ -38,296 +38,135 @@ spec: metadata: type: object spec: - description: APIProductSpec defines the desired state of APIProduct + description: RateLimitPolicySpec defines the desired state of RateLimitPolicy properties: - APIs: - description: The list of kuadrant API to be protected + limits: items: + description: RateLimitSpec defines the desired state of RateLimit properties: - name: - description: Kuadrant API object name - type: string + conditions: + items: + type: string + type: array + max_value: + type: integer namespace: - description: Kuadrant API object namespace - type: string - prefix: - description: Public prefix path to be added to all paths exposed by the API - type: string - tag: type: string + seconds: + type: integer + variables: + items: + type: string + type: array required: - - name + - conditions + - max_value - namespace + - seconds + - variables type: object - minItems: 1 type: array - hosts: - description: The destination hosts to which traffic is being sent. Could be a DNS name with wildcard prefix or an IP address. Depending on the platform, short-names can also be used instead of a FQDN (i.e. has no dots in the name). In such a scenario, the FQDN of the host would be derived based on the underlying platform. + rateLimits: + description: RateLimits are used for all of the matching rules items: - type: string + properties: + actions: + items: + description: Action_Specifier defines the envoy rate limit actions + properties: + generic_key: + properties: + descriptor_key: + type: string + descriptor_value: + type: string + required: + - descriptor_key + - descriptor_value + type: object + type: object + type: array + stage: + description: 'Definfing phase at which rate limits will be applied. Valid values are: PREAUTH, POSTAUTH, BOTH' + enum: + - PREAUTH + - POSTAUTH + - BOTH + type: string + required: + - stage + type: object type: array - rateLimit: - description: RateLimit configures global rate limit parameters - properties: - authenticated: - description: AuthRateLimit configures the same rate limit parameters per each authenticated client - properties: - maxValue: - description: MaxValue represents the number of requests allowed per defined period of time. - format: int32 - type: integer - period: - description: Period represents the period of time in seconds. - format: int32 - type: integer - required: - - maxValue - - period - type: object - global: - description: Global configures a single global rate limit for all requests. - properties: - maxValue: - description: MaxValue represents the number of requests allowed per defined period of time. - format: int32 - type: integer - period: - description: Period represents the period of time in seconds. - format: int32 - type: integer - required: - - maxValue - - period - type: object - perRemoteIP: - description: PerRemoteIPRateLimit configures the same rate limit parameters per each remote address - properties: - maxValue: - description: MaxValue represents the number of requests allowed per defined period of time. - format: int32 - type: integer - period: - description: Period represents the period of time in seconds. - format: int32 - type: integer - required: - - maxValue - - period - type: object - type: object - securityScheme: - description: Configure authentication mechanisms + routes: + description: route specific staging and actions items: properties: - apiKeyAuth: - properties: - credential_source: - properties: - labelSelectors: - additionalProperties: - type: string - type: object - required: - - labelSelectors - type: object - location: - type: string - name: - type: string - required: - - credential_source - - location - - name - type: object name: + description: name of the route present in the virutalservice type: string - openIDConnectAuth: - properties: - url: - type: string - required: - - url - type: object + rateLimits: + items: + properties: + actions: + items: + description: Action_Specifier defines the envoy rate limit actions + properties: + generic_key: + properties: + descriptor_key: + type: string + descriptor_value: + type: string + required: + - descriptor_key + - descriptor_value + type: object + type: object + type: array + stage: + description: 'Definfing phase at which rate limits will be applied. Valid values are: PREAUTH, POSTAUTH, BOTH' + enum: + - PREAUTH + - POSTAUTH + - BOTH + type: string + required: + - stage + type: object + type: array required: - name type: object type: array - required: - - APIs - - hosts + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object status: - description: APIProductStatus defines the observed state of APIProduct + description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: - conditions: - description: 'Conditions represent the latest available observations of an object''s state Known .status.conditions.type are: "Ready"' + virtualservices: + description: VirtualServices represents the current VirtualService objects with reference to this ratelimitpolicy object items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + gateways: + items: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + type: array + name: type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - name type: object type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - observedgen: - format: int64 - type: integer - required: - - observedgen - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - labels: - app: kuadrant - name: apis.networking.kuadrant.io -spec: - group: networking.kuadrant.io - names: - kind: API - listKind: APIList - plural: apis - singular: api - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: API is the Schema for the apis API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: APISpec defines the desired state of API - properties: - destination: - properties: - schema: - type: string - serviceReference: - description: ServiceReference holds a reference to Service.legacy.k8s.io - properties: - name: - description: name is the name of the service. Required - type: string - namespace: - description: namespace is the namespace of the service. Required - type: string - path: - description: path is an optional URL path at which the webhook will be contacted. - type: string - port: - description: port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility. - format: int32 - type: integer - required: - - name - - namespace - type: object - required: - - serviceReference - type: object - mappings: - anyOf: - - required: - - OAS - - required: - - HTTPPathMatch - properties: - HTTPPathMatch: - description: Select a HTTP route by matching the HTTP request path. - properties: - type: - default: Prefix - description: "Type specifies how to match against the path Value. \n Support: Core (Exact, Prefix) \n Support: Custom (RegularExpression, ImplementationSpecific) \n Since RegularExpression PathType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." - enum: - - Exact - - Prefix - - RegularExpression - - ImplementationSpecific - type: string - value: - default: / - description: Value of the HTTP path to match against. - type: string - type: object - OAS: - description: Inline OAS - type: string - type: object - required: - - destination - - mappings - type: object - status: - description: APIStatus defines the observed state of API - properties: - observedGeneration: - format: int64 - type: integer - ready: - type: boolean - required: - - observedGeneration - - ready type: object type: object served: true @@ -388,9 +227,9 @@ metadata: name: kuadrant-manager-role rules: - apiGroups: - - authorino.kuadrant.io + - apim.kuadrant.io resources: - - authconfigs + - ratelimitpolicies verbs: - create - delete @@ -400,28 +239,28 @@ rules: - update - watch - apiGroups: - - "" + - apim.kuadrant.io resources: - - configmaps - - services + - ratelimitpolicies/finalizers verbs: - - get - - list - - watch + - update - apiGroups: - - "" + - apim.kuadrant.io resources: - - events + - ratelimitpolicies/status verbs: - - create + - get - patch + - update - apiGroups: - - "" + - gateway.networking.k8s.io resources: - - services + - httproutes verbs: - get - list + - patch + - update - watch - apiGroups: - limitador.kuadrant.io @@ -450,44 +289,21 @@ rules: - apiGroups: - networking.istio.io resources: - - virtualservices + - gateways verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - networking.kuadrant.io + - networking.istio.io resources: - - apiproducts - - apis + - virtualservices verbs: - - create - - delete - get - list - patch - update - watch -- apiGroups: - - networking.kuadrant.io - resources: - - apiproducts/finalizers - - apis/finalizers - verbs: - - update -- apiGroups: - - networking.kuadrant.io - resources: - - apiproducts/status - - apis/status - verbs: - - get - - patch - - update - apiGroups: - security.istio.io resources: @@ -502,38 +318,6 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: kuadrant - name: kuadrant-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: kuadrant - name: kuadrant-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -564,21 +348,6 @@ subjects: name: kuadrant-controller-manager namespace: kuadrant-system --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: kuadrant - name: kuadrant-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kuadrant-proxy-role -subjects: -- kind: ServiceAccount - name: kuadrant-controller-manager - namespace: kuadrant-system ---- apiVersion: v1 data: controller_manager_config.yaml: | @@ -587,7 +356,7 @@ data: health: healthProbeBindAddress: :8081 metrics: - bindAddress: 127.0.0.1:8080 + bindAddress: :8080 webhook: port: 9443 leaderElection: @@ -610,9 +379,9 @@ metadata: namespace: kuadrant-system spec: ports: - - name: https - port: 8443 - targetPort: https + - name: metrics + port: 8080 + targetPort: metrics selector: app: kuadrant control-plane: controller-manager @@ -642,7 +411,7 @@ spec: - --config=controller_manager_config.yaml command: - /manager - image: quay.io/3scale/kuadrant-controller:v0.2.1 + image: quay.io/kuadrant/kuadrant-controller:main livenessProbe: httpGet: path: /healthz @@ -650,6 +419,9 @@ spec: initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 8080 + name: metrics readinessProbe: httpGet: path: /readyz @@ -669,16 +441,6 @@ spec: - mountPath: /controller_manager_config.yaml name: manager-config subPath: controller_manager_config.yaml - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https securityContext: runAsNonRoot: true serviceAccountName: kuadrant-controller-manager From 82aee0b356dec24427a3dc63de7924cac456521d Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Mon, 28 Feb 2022 15:48:12 +0100 Subject: [PATCH 2/4] limitador operator main ref from main branch --- Makefile | 4 ++-- limitadormanifests/autogenerated/limitador-operator.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 1219e5f..cdaa3e4 100644 --- a/Makefile +++ b/Makefile @@ -89,8 +89,8 @@ kuadrant-manifest-update-test: generate-kuadrant-manifests [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./kuadrantmanifests/autogenerated)" ] # Generates limitador manifests. -LIMITADOR_OPERATOR_VERSION=v0.2.0 -LIMITADOR_OPERATOR_IMAGE=quay.io/3scale/limitador-operator:$(LIMITADOR_OPERATOR_VERSION) +LIMITADOR_OPERATOR_VERSION=main +LIMITADOR_OPERATOR_IMAGE=quay.io/kuadrant/limitador-operator:$(LIMITADOR_OPERATOR_VERSION) .PHONY: generate-limitador-operator-manifests generate-limitador-operator-manifests: $(eval TMP := $(shell mktemp -d)) diff --git a/limitadormanifests/autogenerated/limitador-operator.yaml b/limitadormanifests/autogenerated/limitador-operator.yaml index de6383d..2a0c4a5 100644 --- a/limitadormanifests/autogenerated/limitador-operator.yaml +++ b/limitadormanifests/autogenerated/limitador-operator.yaml @@ -9,7 +9,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null name: limitadors.limitador.kuadrant.io spec: @@ -61,7 +61,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 + controller-gen.kubebuilder.io/version: v0.7.0 creationTimestamp: null name: ratelimits.limitador.kuadrant.io spec: @@ -376,7 +376,7 @@ spec: - --leader-elect command: - /manager - image: quay.io/3scale/limitador-operator:v0.2.0 + image: quay.io/kuadrant/limitador-operator:main livenessProbe: httpGet: path: /healthz From 901f3d6195da97e87e4547c85fa0250cc9ae6607 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Mon, 28 Feb 2022 15:50:43 +0100 Subject: [PATCH 3/4] authorino operator main ref from main branch --- Makefile | 2 +- .../autogenerated/authorino-operator.yaml | 908 +++++------------- 2 files changed, 267 insertions(+), 643 deletions(-) diff --git a/Makefile b/Makefile index cdaa3e4..a822768 100644 --- a/Makefile +++ b/Makefile @@ -107,7 +107,7 @@ limitador-operator-manifest-update-test: generate-limitador-operator-manifests [ -z "$$(git ls-files --other --exclude-standard --directory --no-empty-directory ./limitadormanifests/autogenerated)" ] # Generates authorino operator manifests. -AUTHORINO_OPERATOR_VERSION=v0.1.0 +AUTHORINO_OPERATOR_VERSION=main .PHONY: generate-authorino-operator-manifests generate-authorino-operator-manifests: curl -sSf https://raw.githubusercontent.com/Kuadrant/authorino-operator/$(AUTHORINO_OPERATOR_VERSION)/config/deploy/manifests.yaml > $(PROJECT_PATH)/authorinomanifests/autogenerated/authorino-operator.yaml diff --git a/authorinomanifests/autogenerated/authorino-operator.yaml b/authorinomanifests/autogenerated/authorino-operator.yaml index 50dd798..328e6ff 100644 --- a/authorinomanifests/autogenerated/authorino-operator.yaml +++ b/authorinomanifests/autogenerated/authorino-operator.yaml @@ -1,3 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: authorino-operator +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -50,30 +57,20 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: Specifies the desired state of the AuthConfig resource, i.e. - the authencation/authorization scheme to be applied to protect the matching - service hosts. + description: Specifies the desired state of the AuthConfig resource, i.e. the authencation/authorization scheme to be applied to protect the matching service hosts. properties: authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. + description: Authorization is the list of authorization policies. All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' + description: 'Authorization policy to be enforced. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".' oneOf: - properties: name: {} @@ -98,8 +95,7 @@ spec: description: JSON pattern matching authorization policy. properties: rules: - description: The rules that must all evaluate to "true" - for the request to be authorized. + description: The rules that must all evaluate to "true" for the request to be authorized. items: oneOf: - properties: @@ -116,12 +112,7 @@ spec: - value properties: operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -133,16 +124,10 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -150,8 +135,7 @@ spec: - rules type: object kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` - Path and Verb are inferred from the request. + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: description: Groups to test for. @@ -159,10 +143,7 @@ spec: type: string type: array resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. + description: Use ResourceAttributes for checking permissions on Kubernetes resources If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. properties: group: properties: @@ -171,17 +152,7 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -192,17 +163,7 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -213,17 +174,7 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -234,17 +185,7 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -255,17 +196,7 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -276,42 +207,20 @@ spec: valueFrom: properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object type: object user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" + description: User to test for. If without "Groups", then is it interpreted as "What if User were not a member of any groups" properties: value: type: string valueFrom: properties: authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object type: object @@ -319,8 +228,7 @@ spec: - user type: object name: - description: Name of the authorization policy. It can be used - to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. @@ -329,17 +237,11 @@ spec: description: External registry of OPA policies. properties: credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. + description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header @@ -347,40 +249,22 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. + description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. The endpoint must respond with either plain/text or application/json content-type. In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. + description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: - description: The key of the secret to select from. Must - be a valid secret key. + description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: The name of the secret in the Authorino's - namespace to select from. + description: The name of the secret in the Authorino's namespace to select from. type: string required: - key @@ -388,24 +272,15 @@ spec: type: object type: object inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). The Rego document must NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization policy. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -422,11 +297,7 @@ spec: - value properties: operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -438,16 +309,10 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -456,22 +321,19 @@ spec: type: object type: array denyWith: - description: Custom denial response codes, statuses and headers to - override default 40x's. + description: Custom denial response codes, statuses and headers to override default 40x's. properties: unauthenticated: description: Denial status customization when the request is unauthenticated. properties: code: - description: HTTP status code to override the default denial - status code. + description: HTTP status code to override the default denial status code. format: int64 maximum: 599 minimum: 300 type: integer headers: - description: HTTP response headers to override the default - denial headers. + description: HTTP response headers to override the default denial headers. items: properties: name: @@ -484,17 +346,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -509,15 +361,13 @@ spec: description: Denial status customization when the request is unauthorized. properties: code: - description: HTTP status code to override the default denial - status code. + description: HTTP status code to override the default denial status code. format: int64 maximum: 599 minimum: 300 type: integer headers: - description: HTTP response headers to override the default - denial headers. + description: HTTP response headers to override the default denial headers. items: properties: name: @@ -530,17 +380,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -553,22 +393,14 @@ spec: type: object type: object hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. + description: The list of public host names of the services protected by this authentication/authorization scheme. Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. items: type: string type: array identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' + description: 'The identity source/authentication mode config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes".' oneOf: - properties: credentials: {} @@ -598,31 +430,36 @@ spec: required: - name - kubernetes + - properties: + anonymous: {} + credentials: {} + name: {} + required: + - name + - anonymous properties: + anonymous: + type: object apiKey: properties: + allNamespaces: + default: false + description: Whether Authorino should look for API key secrets in all namespaces or only in the same namespace of the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. + type: boolean labelSelectors: additionalProperties: type: string - description: The map of label selectors used by Authorino - to match secrets from the cluster storing valid credentials - to authenticate to this service + description: The map of label selectors used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service type: object required: - labelSelectors type: object credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to be passed in the request for this identity source/authentication mode. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header - description: The location in the request where client credentials - shall be passed on requests authenticating with this identity - source/authentication mode. + description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header @@ -630,23 +467,13 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. + description: Extends the resolved identity object with additional custom properties before appending to the authorization JSON. It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. items: properties: name: @@ -659,16 +486,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern with - the path to fetch from the authorization JSON (e.g. - ''context.request.http.host'') or a string template - with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!") The following - string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -678,39 +496,28 @@ spec: kubernetes: properties: audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array type: object name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It can be used - to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication mode. It usually identifies a source of identities or group of users/clients of the protected service. It can be used to refer to the resolved identity object in other configs. type: string oauth2: properties: credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the OAuth2 - server. + description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. - If omitted, it defaults to "access_token". + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: - credentialsRef @@ -719,33 +526,20 @@ spec: oidc: properties: endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: - description: Decides how long to wait before refreshing - the OIDC configuration (in seconds). + description: Decides how long to wait before refreshing the OIDC configuration (in seconds). type: integer required: - endpoint type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -762,11 +556,7 @@ spec: - value properties: operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -778,16 +568,10 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -796,12 +580,9 @@ spec: type: object type: array metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON content from sources on this list on every request. items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "userInfo" or "uma".' + description: 'The metadata config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "userInfo" or "uma".' oneOf: - properties: name: {} @@ -823,13 +604,10 @@ spec: - http properties: http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. + description: Generic HTTP interface to obtain authorization metadata from a HTTP service. properties: bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Use it with method=POST; for GET requests, - specify parameters using placeholders in the endpoint. + description: Custom parameters to encode in the body of the HTTP request. Use it with method=POST; for GET requests, specify parameters using placeholders in the endpoint. items: properties: name: @@ -842,17 +620,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -867,17 +635,11 @@ spec: - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. + description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header @@ -885,23 +647,13 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -917,17 +669,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -935,27 +677,19 @@ spec: type: object type: array method: - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: 'HTTP verb used in the request to the service. Accepted values: GET (default), POST. When the request method is POST, the authorization JSON is passed in the body of the request.' enum: - GET - POST type: string sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. + description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: - description: The key of the secret to select from. Must - be a valid secret key. + description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: The name of the secret in the Authorino's - namespace to select from. + description: The name of the secret in the Authorino's namespace to select from. type: string required: - key @@ -965,54 +699,40 @@ spec: - endpoint type: object name: - description: The name of the metadata source. It can be used - to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. properties: credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the resource - registration API of the UMA server. + description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef - endpoint type: object userInfo: - description: OpendID Connect UserInfo linked to an OIDC identity - config of this same spec. + description: OpendID Connect UserInfo linked to an OIDC identity config of this same spec. properties: identitySource: - description: The name of an OIDC identity source included - in the "identity" section and whose OpenID Connect configuration - discovered includes the OIDC "userinfo_endpoint" claim. + description: The name of an OIDC identity source included in the "identity" section and whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. type: string required: - identitySource type: object when: - description: Conditions for Authorino to enforce this metadata - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this metadata config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1029,11 +749,7 @@ spec: - value properties: operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1045,16 +761,10 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1067,11 +777,7 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1080,35 +786,24 @@ spec: - matches type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array - description: Named sets of JSON patterns that can be referred in `when` - conditionals and in JSON-pattern matching policy rules. + description: Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules. type: object response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from the auth pipeline to build custom responses for the client. items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' + description: 'Dynamic response to return to the client. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json".' properties: json: properties: properties: - description: List of JSON property-value pairs to be added - to the dynamic response. + description: List of JSON property-value pairs to be added to the dynamic response. items: properties: name: @@ -1121,17 +816,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -1142,20 +827,14 @@ spec: - properties type: object name: - description: Name of the custom response. It can be used to - refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to refer to the resolved response object in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced for - all requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom response config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: @@ -1172,11 +851,7 @@ spec: - value properties: operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1188,39 +863,27 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: customClaims: - description: Any claims to be added to the wristband token - apart from the standard JWT claims (iss, iat, exp) added - by default. + description: Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. items: properties: name: @@ -1233,17 +896,7 @@ spec: description: Dynamic value of the claim properties: authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' + description: 'Selector to fill the value from the authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The value can be just the pattern with the path to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!") The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, and @base64:encode|decode.' type: string type: object required: @@ -1251,20 +904,14 @@ spec: type: object type: array issuer: - description: 'The endpoint to the Authorino service that - issues the wristband (format: ://:/, - where = /://:/, where = / Date: Tue, 1 Mar 2022 09:57:35 +0100 Subject: [PATCH 4/4] run nightly tests --- .github/workflows/testing.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/testing.yaml b/.github/workflows/testing.yaml index 06004bf..96a7a4c 100644 --- a/.github/workflows/testing.yaml +++ b/.github/workflows/testing.yaml @@ -1,7 +1,15 @@ --- name: Testing -on: pull_request +on: + push: + branches: [ 'main' ] + + pull_request: + branches: [ 'main' ] + + schedule: + - cron: "15 1 * * *" jobs: build: