Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing important resources in helm chart #416

Open
ricardosilva86 opened this issue Aug 26, 2024 · 7 comments
Open

Missing important resources in helm chart #416

ricardosilva86 opened this issue Aug 26, 2024 · 7 comments
Assignees
Labels
area/helm-chart Issues dealing with the helm chart bug Something isn't working needs-repro

Comments

@ricardosilva86
Copy link

ricardosilva86 commented Aug 26, 2024

Kubernetes Version

1.30

Helm Chart Version

0.12.1

Helm Chart configuration

I just installed as it was requested in the tutorial:

  1. Export the Auth token and the API
  2. Add the repo to helm
  3. Deploy the ngrok ingress controller:
helm install ngrok-ingress-controller ngrok/kubernetes-ingress-controller \
  --namespace ngrok-ingress-controller \
  --create-namespace \
  --set credentials.apiKey=$NGROK_API_KEY \
  --set credentials.authtoken=$NGROK_AUTHTOKEN

What happened

Kubernetes flavour: minikube or kind
I was following the https://ngrok.com/docs/using-ngrok-with/k8s/ tutorial and I couldn't make it work. The following errors were reported:

{"level":"info","ts":"2024-08-26T20:43:46Z","logger":"cache-store-driver","msg":"syncing driver state!!"}
{"level":"error","ts":"2024-08-26T20:43:46Z","logger":"cache-store-driver","msg":"error creating domain","domain":{"metadata":{"name":"destined-mongoose-needlessly-ngrok-free-app","namespace":"ngrok-ingress-controller","creationTimestamp":null},"spec":{"domain":"destined-mongoose-needlessly.ngrok-free.app"},"status":{}},"error":"the server could not find the requested resource (post domains.ingress.k8s.ngrok.com)","stacktrace":"github.com/ngrok/kubernetes-ingress-controller/internal/store.(*Driver).applyDomains\n\tgithub.com/ngrok/kubernetes-ingress-controller/internal/store/driver.go:486\ngithub.com/ngrok/kubernetes-ingress-controller/internal/store.(*Driver).Sync\n\tgithub.com/ngrok/kubernetes-ingress-controller/internal/store/driver.go:409\ngithub.com/ngrok/kubernetes-ingress-controller/internal/controller/ingress.(*IngressReconciler).Reconcile\n\tgithub.com/ngrok/kubernetes-ingress-controller/internal/controller/ingress/ingress_controller.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:227"}
{"level":"info","ts":"2024-08-26T20:43:46Z","logger":"cache-store-driver","msg":"sync done"}
{"level":"error","ts":"2024-08-26T20:43:46Z","logger":"controllers.ingress","msg":"Failed to sync","ingress":{"name":"game-2048-ingress","namespace":"ngrok-ingress-controller"},"error":"the server could not find the requested resource (post domains.ingress.k8s.ngrok.com)","stacktrace":"github.com/ngrok/kubernetes-ingress-controller/internal/controller/ingress.(*IngressReconciler).Reconcile\n\tgithub.com/ngrok/kubernetes-ingress-controller/internal/controller/ingress/ingress_controller.go:134\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":"2024-08-26T20:43:46Z","msg":"Reconciler error","controller":"ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"game-2048-ingress","namespace":"ngrok-ingress-controller"},"namespace":"ngrok-ingress-controller","name":"game-2048-ingress","reconcileID":"f3746b31-95ba-493a-b18a-f7f630222e8a","error":"the server could not find the requested resource (post domains.ingress.k8s.ngrok.com)","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.17.4/pkg/internal/controller/controller.go:227"}
W0826 20:43:57.535070       1 reflector.go:539] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: failed to list *v1alpha1.Tunnel: the server could not find the requested resource (get tunnels.ingress.k8s.ngrok.com)
E0826 20:43:57.535126       1 reflector.go:147] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Tunnel: failed to list *v1alpha1.Tunnel: the server could not find the requested resource (get tunnels.ingress.k8s.ngrok.com)
W0826 20:44:04.717406       1 reflector.go:539] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: failed to list *v1alpha1.HTTPSEdge: the server could not find the requested resource (get httpsedges.ingress.k8s.ngrok.com)
E0826 20:44:04.717465       1 reflector.go:147] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: Failed to watch *v1alpha1.HTTPSEdge: failed to list *v1alpha1.HTTPSEdge: the server could not find the requested resource (get httpsedges.ingress.k8s.ngrok.com)
W0826 20:44:12.552365       1 reflector.go:539] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: failed to list *v1alpha1.Domain: the server could not find the requested resource (get domains.ingress.k8s.ngrok.com)
E0826 20:44:12.552449       1 reflector.go:147] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Domain: failed to list *v1alpha1.Domain: the server could not find the requested resource (get domains.ingress.k8s.ngrok.com)
W0826 20:44:34.622086       1 reflector.go:539] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: failed to list *v1alpha1.Tunnel: the server could not find the requested resource (get tunnels.ingress.k8s.ngrok.com)
E0826 20:44:34.622130       1 reflector.go:147] k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Tunnel: failed to list *v1alpha1.Tunnel: the server could not find the requested resource (get tunnels.ingress.k8s.ngrok.com)

When I try to get any domains object in the cluster:

k get domains
Error from server (NotFound): Unable to list "ingress.k8s.ngrok.com/v1alpha1, Resource=domains": the server could not find the requested resource (get domains.ingress.k8s.ngrok.com)

Same happens with other resources like tunnels:

k get tunnels
Error from server (NotFound): Unable to list "ingress.k8s.ngrok.com/v1alpha1, Resource=tunnels": the server could not find the requested resource (get tunnels.ingress.k8s.ngrok.com)

What you think should happen instead

As per the result of the tutorial, I should have got a working 2048 app running on my domain.

How to reproduce

Follow the K8s ingress tutorial from ngrok, here: https://ngrok.com/docs/using-ngrok-with/k8s/

@ricardosilva86 ricardosilva86 added area/helm-chart Issues dealing with the helm chart bug Something isn't working needs-triage Issues that need triage labels Aug 26, 2024
@ricardosilva86
Copy link
Author

btw I already tried to uninstall and install again, same issue.

@jonstacks
Copy link
Collaborator

@ricardosilva86, any chance you have the logs from the helm install? That might give us some more information. Or if you can re-run the helm install command with the --debug flag that might also help us determine what is happening.

@jonstacks
Copy link
Collaborator

Also, could you include the output of helm version? We'll get our template updated to gather this going forward

@jonstacks jonstacks self-assigned this Aug 26, 2024
@ricardosilva86
Copy link
Author

helm version

version.BuildInfo{Version:"v3.15.4", GitCommit:"fa9efb07d9d8debbb4306d72af76a383895aa8c4", GitTreeState:"clean", GoVersion:"go1.22.6"}

@ricardosilva86
Copy link
Author

ricardosilva86 commented Aug 27, 2024

helm install with --debug:

Output
install.go:222: [debug] Original chart version: ""
install.go:239: [debug] CHART PATH: /home/ricardosilva/.cache/helm/repository/kubernetes-ingress-controller-0.14.1.tgz

client.go:142: [debug] creating 1 resource(s)
client.go:142: [debug] creating 33 resource(s)
NAME: ngrok-ingress-controller
LAST DEPLOYED: Tue Aug 27 06:27:44 2024
NAMESPACE: ngrok-ingress-controller
STATUS: deployed
REVISION: 1
TEST SUITE: None
USER-SUPPLIED VALUES:
credentials:
  apiKey: <apikey>
  authtoken: <authtoken>

COMPUTED VALUES:
affinity: {}
apiURL: ""
common:
  exampleValue: common-chart
  global: {}
commonAnnotations: {}
commonLabels: {}
controllerName: k8s.ngrok.com/ingress-controller
credentials:
  apiKey: <apikey>
  authtoken: <authtoken>
  secret:
    name: ""
extraEnv: {}
extraVolumeMounts: []
extraVolumes: []
fullnameOverride: ""
image:
  pullPolicy: IfNotPresent
  pullSecrets: []
  registry: docker.io
  repository: ngrok/kubernetes-ingress-controller
  tag: ""
ingressClass:
  create: true
  default: false
  name: ngrok
lifecycle: {}
log:
  format: json
  level: info
  stacktraceLevel: error
metaData: {}
nameOverride: ""
nodeAffinityPreset:
  key: ""
  type: ""
  values: []
podAffinityPreset: ""
podAnnotations: {}
podAntiAffinityPreset: soft
podDisruptionBudget:
  create: false
  maxUnavailable: 1
  minAvailable: ""
podLabels: {}
priorityClassName: ""
region: ""
replicaCount: 1
resources:
  limits: {}
  requests: {}
rootCAs: ""
serverAddr: ""
serviceAccount:
  annotations: {}
  create: true
  name: ""
watchNamespace: ""

HOOKS:
MANIFEST:
---
# Source: kubernetes-ingress-controller/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ngrok-ingress-controller-kubernetes-ingress-controller
  namespace: ngrok-ingress-controller
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
---
# Source: kubernetes-ingress-controller/templates/credentials-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: ngrok-ingress-controller-kubernetes-ingress-controller-credentials
  namespace: ngrok-ingress-controller
type: Opaque
data:
  API_KEY: <apikey>
  AUTHTOKEN: <authtoken>
---
# Source: kubernetes-ingress-controller/templates/controller-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ngrok-ingress-controller-kubernetes-ingress-controller-manager-config
  namespace: ngrok-ingress-controller
data:
  controller_manager_config.yaml: |
    apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
    kind: ControllerManagerConfig
    health:
      healthProbeBindAddress: :8081
    metrics:
      bindAddress: 127.0.0.1:8080
    leaderElection:
      leaderElect: true
      resourceName: ngrok-ingress-controller-kubernetes-ingress-controller-leader
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_domains.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: domains.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: Domain
    listKind: DomainList
    plural: domains
    singular: domain
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Domain ID
      jsonPath: .status.id
      name: ID
      type: string
    - description: Region
      jsonPath: .status.region
      name: Region
      type: string
    - description: Domain
      jsonPath: .status.domain
      name: Domain
      type: string
    - description: CNAME Target
      jsonPath: .status.cnameTarget
      name: CNAME Target
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: Domain is the Schema for the domains API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: DomainSpec defines the desired state of Domain
            properties:
              description:
                default: Created by kubernetes-ingress-controller
                description: Description is a human-readable description of the object
                  in the ngrok API/Dashboard
                type: string
              domain:
                description: Domain is the domain name to reserve
                type: string
              metadata:
                default: '{"owned-by":"kubernetes-ingress-controller"}'
                description: Metadata is a string of arbitrary data associated with
                  the object in the ngrok API/Dashboard
                type: string
              region:
                description: Region is the region in which to reserve the domain
                type: string
            required:
            - domain
            type: object
          status:
            description: DomainStatus defines the observed state of Domain
            properties:
              cnameTarget:
                description: CNAMETarget is the CNAME target for the domain
                type: string
              domain:
                description: Domain is the domain that was reserved
                type: string
              id:
                description: ID is the unique identifier of the domain
                type: string
              region:
                description: Region is the region in which the domain was created
                type: string
              uri:
                description: URI of the reserved domain API resource
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_httpsedges.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: httpsedges.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: HTTPSEdge
    listKind: HTTPSEdgeList
    plural: httpsedges
    singular: httpsedge
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: HTTPSEdge is the Schema for the httpsedges API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: HTTPSEdgeSpec defines the desired state of HTTPSEdge
            properties:
              description:
                default: Created by kubernetes-ingress-controller
                description: Description is a human-readable description of the object
                  in the ngrok API/Dashboard
                type: string
              hostports:
                description: Hostports is a list of hostports served by this edge
                items:
                  type: string
                type: array
              metadata:
                default: '{"owned-by":"kubernetes-ingress-controller"}'
                description: Metadata is a string of arbitrary data associated with
                  the object in the ngrok API/Dashboard
                type: string
              mutualTLS:
                properties:
                  certificateAuthorities:
                    description: |-
                      List of CA IDs that will be used to validate incoming connections to the
                      edge.
                    items:
                      type: string
                    type: array
                type: object
              routes:
                description: Routes is a list of routes served by this edge
                items:
                  properties:
                    backend:
                      description: |-
                        Backend is the definition for the tunnel group backend
                        that serves traffic for this edge
                      properties:
                        description:
                          default: Created by kubernetes-ingress-controller
                          description: Description is a human-readable description
                            of the object in the ngrok API/Dashboard
                          type: string
                        labels:
                          additionalProperties:
                            type: string
                          description: Labels to watch for tunnels on this backend
                          type: object
                        metadata:
                          default: '{"owned-by":"kubernetes-ingress-controller"}'
                          description: Metadata is a string of arbitrary data associated
                            with the object in the ngrok API/Dashboard
                          type: string
                      type: object
                    circuitBreaker:
                      description: CircuitBreaker is a circuit breaker configuration
                        to apply to this route
                      properties:
                        errorThresholdPercentage:
                          anyOf:
                          - type: integer
                          - type: string
                          description: Error threshold percentage should be between
                            0 - 1.0, not 0-100.0
                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                          x-kubernetes-int-or-string: true
                        numBuckets:
                          description: Integer number of buckets into which metrics
                            are retained. Max 128.
                          format: int32
                          maximum: 128
                          minimum: 1
                          type: integer
                        rollingWindow:
                          description: Statistical rolling window duration that metrics
                            are retained for.
                          format: duration
                          type: string
                        trippedDuration:
                          description: Duration after which the circuit is tripped
                            to wait before re-evaluating upstream health
                          format: duration
                          type: string
                        volumeThreshold:
                          description: |-
                            Integer number of requests in a rolling window that will trip the circuit.
                            Helpful if traffic volume is low.
                          format: int32
                          type: integer
                      type: object
                    compression:
                      description: Compression is whether or not to enable compression
                        for this route
                      properties:
                        enabled:
                          description: Enabled is whether or not to enable compression
                            for this endpoint
                          type: boolean
                      type: object
                    description:
                      default: Created by kubernetes-ingress-controller
                      description: Description is a human-readable description of
                        the object in the ngrok API/Dashboard
                      type: string
                    headers:
                      description: Headers are request/response headers to apply to
                        this route
                      properties:
                        request:
                          description: Request headers are the request headers module
                            configuration or null
                          properties:
                            add:
                              additionalProperties:
                                type: string
                              description: |-
                                a map of header key to header value that will be injected into the HTTP Request
                                before being sent to the upstream application server
                              type: object
                            remove:
                              description: |-
                                a list of header names that will be removed from the HTTP Request before being
                                sent to the upstream application server
                              items:
                                type: string
                              type: array
                          type: object
                        response:
                          description: Response headers are the response headers module
                            configuration or null
                          properties:
                            add:
                              additionalProperties:
                                type: string
                              description: |-
                                a map of header key to header value that will be injected into the HTTP Response
                                returned to the HTTP client
                              type: object
                            remove:
                              description: |-
                                a list of header names that will be removed from the HTTP Response returned to
                                the HTTP client
                              items:
                                type: string
                              type: array
                          type: object
                      type: object
                    ipRestriction:
                      description: IPRestriction is an IPRestriction to apply to this
                        route
                      properties:
                        policies:
                          items:
                            type: string
                          type: array
                      type: object
                    match:
                      description: Match is the value to match against the request
                        path
                      type: string
                    matchType:
                      description: 'MatchType is the type of match to use for this
                        route. Valid values are:'
                      enum:
                      - exact_path
                      - path_prefix
                      type: string
                    metadata:
                      default: '{"owned-by":"kubernetes-ingress-controller"}'
                      description: Metadata is a string of arbitrary data associated
                        with the object in the ngrok API/Dashboard
                      type: string
                    oauth:
                      description: OAuth configuration to apply to this route
                      properties:
                        amazon:
                          description: configuration for using amazon as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        facebook:
                          description: configuration for using facebook as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        github:
                          description: configuration for using github as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            organizations:
                              description: |-
                                a list of github org identifiers. users who are members of any of the listed
                                organizations will be allowed access. identifiers should be the organization's
                                'slug'
                              items:
                                type: string
                              type: array
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                            teams:
                              description: |-
                                a list of github teams identifiers. users will be allowed access to the endpoint
                                if they are a member of any of these teams. identifiers should be in the 'slug'
                                format qualified with the org name, e.g. org-name/team-name
                              items:
                                type: string
                              type: array
                          type: object
                        gitlab:
                          description: configuration for using gitlab as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        google:
                          description: configuration for using google as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        linkedin:
                          description: configuration for using linkedin as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        microsoft:
                          description: configuration for using microsoft as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                        twitch:
                          description: configuration for using twitch as the identity
                            provider
                          properties:
                            authCheckInterval:
                              description: |-
                                Duration after which ngrok guarantees it will refresh user
                                state from the identity provider and recheck whether the user is still
                                authorized to access the endpoint. This is the preferred tunable to use to
                                enforce a minimum amount of time after which a revoked user will no longer be
                                able to access the resource.
                              format: duration
                              type: string
                            clientId:
                              description: |-
                                the OAuth app client ID. retrieve it from the identity provider's dashboard
                                where you created your own OAuth app. optional. if unspecified, ngrok will use
                                its own managed oauth application which has additional restrictions. see the
                                OAuth module docs for more details. if present, clientSecret must be present as
                                well.
                              type: string
                            clientSecret:
                              description: |-
                                the OAuth app client secret. retrieve if from the identity provider's dashboard
                                where you created your own OAuth app. optional, see all of the caveats in the
                                docs for clientId.
                              properties:
                                key:
                                  description: Key in the secret to use
                                  type: string
                                name:
                                  description: Name of the Kubernetes secret
                                  type: string
                              type: object
                            cookiePrefix:
                              description: |-
                                the prefix of the session cookie that ngrok sets on the http client to cache
                                authentication. default is 'ngrok.'
                              type: string
                            emailAddresses:
                              description: |-
                                a list of email addresses of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            emailDomains:
                              description: |-
                                a list of email domains of users authenticated by identity provider who are
                                allowed access to the endpoint
                              items:
                                type: string
                              type: array
                            inactivityTimeout:
                              description: |-
                                Duration of inactivity after which if the user has not accessed
                                the endpoint, their session will time out and they will be forced to
                                reauthenticate.
                              format: duration
                              type: string
                            maximumDuration:
                              description: |-
                                Integer number of seconds of the maximum duration of an authenticated session.
                                After this period is exceeded, a user must reauthenticate.
                              format: duration
                              type: string
                            optionsPassthrough:
                              description: |-
                                Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                                supporting CORS.
                              type: boolean
                            scopes:
                              description: |-
                                a list of provider-specific OAuth scopes with the permissions your OAuth app
                                would like to ask for. these may not be set if you are using the ngrok-managed
                                oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                              items:
                                type: string
                              type: array
                          type: object
                      type: object
                    oidc:
                      description: OIDC is the OpenID Connect configuration to apply
                        to this route
                      properties:
                        clientId:
                          description: The OIDC app's client ID and OIDC audience.
                          type: string
                        clientSecret:
                          description: The OIDC app's client secret.
                          properties:
                            key:
                              description: Key in the secret to use
                              type: string
                            name:
                              description: Name of the Kubernetes secret
                              type: string
                          type: object
                        cookiePrefix:
                          description: |-
                            the prefix of the session cookie that ngrok sets on the http client to cache
                            authentication. default is 'ngrok.'
                          type: string
                        inactivityTimeout:
                          description: |-
                            Duration of inactivity after which if the user has not accessed
                            the endpoint, their session will time out and they will be forced to
                            reauthenticate.
                          format: duration
                          type: string
                        issuer:
                          description: URL of the OIDC "OpenID provider". This is
                            the base URL used for discovery.
                          type: string
                        maximumDuration:
                          description: |-
                            The maximum duration of an authenticated session.
                            After this period is exceeded, a user must reauthenticate.
                          format: duration
                          type: string
                        optionsPassthrough:
                          description: |-
                            Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                            supporting CORS.
                          type: boolean
                        scopes:
                          description: The set of scopes to request from the OIDC
                            identity provider.
                          items:
                            type: string
                          type: array
                      type: object
                    policy:
                      description: raw json policy string that was applied to the
                        ngrok API
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                    saml:
                      description: SAML is the SAML configuration to apply to this
                        route
                      properties:
                        allowIdpInitiated:
                          description: |-
                            If true, the IdP may initiate a login directly (e.g. the user does not need to
                            visit the endpoint first and then be redirected). The IdP should set the
                            RelayState parameter to the target URL of the resource they want the user to be
                            redirected to after the SAML login assertion has been processed.
                          type: boolean
                        authorizedGroups:
                          description: |-
                            If present, only users who are a member of one of the listed groups may access
                            the target endpoint.
                          items:
                            type: string
                          type: array
                        cookiePrefix:
                          description: |-
                            the prefix of the session cookie that ngrok sets on the http client to cache
                            authentication. default is 'ngrok.'
                          type: string
                        forceAuthn:
                          description: |-
                            If true, indicates that whenever we redirect a user to the IdP for
                            authentication that the IdP must prompt the user for authentication credentials
                            even if the user already has a valid session with the IdP.
                          type: boolean
                        idpMetadata:
                          description: |-
                            The full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file
                            to download or as a URL.
                          type: string
                        inactivityTimeout:
                          description: |-
                            Duration of inactivity after which if the user has not accessed
                            the endpoint, their session will time out and they will be forced to
                            reauthenticate.
                          format: duration
                          type: string
                        maximumDuration:
                          description: |-
                            The maximum duration of an authenticated session.
                            After this period is exceeded, a user must reauthenticate.
                          format: duration
                          type: string
                        nameidFormat:
                          description: |-
                            Defines the name identifier format the SP expects the IdP to use in its
                            assertions to identify subjects. If unspecified, a default value of
                            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of
                            the allowed values enumerated by the SAML specification are supported.
                          type: string
                        optionsPassthrough:
                          description: |-
                            Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                            supporting CORS.
                          type: boolean
                      type: object
                    webhookVerification:
                      description: WebhookVerification is webhook verification configuration
                        to apply to this route
                      properties:
                        provider:
                          description: |-
                            a string indicating which webhook provider will be sending webhooks to this
                            endpoint. Value must be one of the supported providers defined at
                            https://ngrok.com/docs/http/webhook-verification/#supported-providers
                          type: string
                        secret:
                          description: |-
                            SecretRef is a reference to a secret containing the secret used to validate
                            requests from the given provider. All providers except AWS SNS require a secret
                          properties:
                            key:
                              description: Key in the secret to use
                              type: string
                            name:
                              description: Name of the Kubernetes secret
                              type: string
                          type: object
                      type: object
                  required:
                  - match
                  - matchType
                  type: object
                type: array
              tlsTermination:
                description: TLSTermination is the TLS termination configuration for
                  this edge
                properties:
                  minVersion:
                    description: MinVersion is the minimum TLS version to allow for
                      connections to the edge
                    type: string
                type: object
            type: object
          status:
            description: HTTPSEdgeStatus defines the observed state of HTTPSEdge
            properties:
              id:
                description: ID is the unique identifier for this edge
                type: string
              routes:
                items:
                  properties:
                    backend:
                      description: |-
                        Backend stores the status of the tunnel group backend,
                        mainly the ID of the backend
                      properties:
                        id:
                          description: ID is the unique identifier for this backend
                          type: string
                      type: object
                    id:
                      description: ID is the unique identifier for this route
                      type: string
                    match:
                      type: string
                    matchType:
                      type: string
                    uri:
                      description: URI is the URI for this route
                      type: string
                  type: object
                type: array
              uri:
                description: URI is the URI for this edge
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ippolicies.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: ippolicies.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: IPPolicy
    listKind: IPPolicyList
    plural: ippolicies
    singular: ippolicy
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: IPPolicy ID
      jsonPath: .status.id
      name: ID
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: IPPolicy is the Schema for the ippolicies API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: IPPolicySpec defines the desired state of IPPolicy
            properties:
              description:
                default: Created by kubernetes-ingress-controller
                description: Description is a human-readable description of the object
                  in the ngrok API/Dashboard
                type: string
              metadata:
                default: '{"owned-by":"kubernetes-ingress-controller"}'
                description: Metadata is a string of arbitrary data associated with
                  the object in the ngrok API/Dashboard
                type: string
              rules:
                description: Rules is a list of rules that belong to the policy
                items:
                  properties:
                    action:
                      enum:
                      - allow
                      - deny
                      type: string
                    cidr:
                      type: string
                    description:
                      default: Created by kubernetes-ingress-controller
                      description: Description is a human-readable description of
                        the object in the ngrok API/Dashboard
                      type: string
                    metadata:
                      default: '{"owned-by":"kubernetes-ingress-controller"}'
                      description: Metadata is a string of arbitrary data associated
                        with the object in the ngrok API/Dashboard
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: IPPolicyStatus defines the observed state of IPPolicy
            properties:
              id:
                description: |-
                  INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
                  Important: Run "make" to regenerate code after modifying this file
                type: string
              rules:
                items:
                  properties:
                    action:
                      type: string
                    cidr:
                      type: string
                    id:
                      type: string
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_ngrokmodulesets.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: ngrokmodulesets.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: NgrokModuleSet
    listKind: NgrokModuleSetList
    plural: ngrokmodulesets
    singular: ngrokmoduleset
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: NgrokModuleSet is the Schema for the ngrokmodules API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          modules:
            properties:
              circuitBreaker:
                description: CircuitBreaker configuration for this module set
                properties:
                  errorThresholdPercentage:
                    anyOf:
                    - type: integer
                    - type: string
                    description: Error threshold percentage should be between 0 -
                      1.0, not 0-100.0
                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                    x-kubernetes-int-or-string: true
                  numBuckets:
                    description: Integer number of buckets into which metrics are
                      retained. Max 128.
                    format: int32
                    maximum: 128
                    minimum: 1
                    type: integer
                  rollingWindow:
                    description: Statistical rolling window duration that metrics
                      are retained for.
                    format: duration
                    type: string
                  trippedDuration:
                    description: Duration after which the circuit is tripped to wait
                      before re-evaluating upstream health
                    format: duration
                    type: string
                  volumeThreshold:
                    description: |-
                      Integer number of requests in a rolling window that will trip the circuit.
                      Helpful if traffic volume is low.
                    format: int32
                    type: integer
                type: object
              compression:
                description: Compression configuration for this module set
                properties:
                  enabled:
                    description: Enabled is whether or not to enable compression for
                      this endpoint
                    type: boolean
                type: object
              headers:
                description: Header configuration for this module set
                properties:
                  request:
                    description: Request headers are the request headers module configuration
                      or null
                    properties:
                      add:
                        additionalProperties:
                          type: string
                        description: |-
                          a map of header key to header value that will be injected into the HTTP Request
                          before being sent to the upstream application server
                        type: object
                      remove:
                        description: |-
                          a list of header names that will be removed from the HTTP Request before being
                          sent to the upstream application server
                        items:
                          type: string
                        type: array
                    type: object
                  response:
                    description: Response headers are the response headers module
                      configuration or null
                    properties:
                      add:
                        additionalProperties:
                          type: string
                        description: |-
                          a map of header key to header value that will be injected into the HTTP Response
                          returned to the HTTP client
                        type: object
                      remove:
                        description: |-
                          a list of header names that will be removed from the HTTP Response returned to
                          the HTTP client
                        items:
                          type: string
                        type: array
                    type: object
                type: object
              ipRestriction:
                description: IPRestriction configuration for this module set
                properties:
                  policies:
                    items:
                      type: string
                    type: array
                type: object
              mutualTLS:
                description: MutualTLS configuration for this module set
                properties:
                  certificateAuthorities:
                    description: |-
                      List of CA IDs that will be used to validate incoming connections to the
                      edge.
                    items:
                      type: string
                    type: array
                type: object
              oauth:
                description: OAuth configuration for this module set
                properties:
                  amazon:
                    description: configuration for using amazon as the identity provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  facebook:
                    description: configuration for using facebook as the identity
                      provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  github:
                    description: configuration for using github as the identity provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      organizations:
                        description: |-
                          a list of github org identifiers. users who are members of any of the listed
                          organizations will be allowed access. identifiers should be the organization's
                          'slug'
                        items:
                          type: string
                        type: array
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                      teams:
                        description: |-
                          a list of github teams identifiers. users will be allowed access to the endpoint
                          if they are a member of any of these teams. identifiers should be in the 'slug'
                          format qualified with the org name, e.g. org-name/team-name
                        items:
                          type: string
                        type: array
                    type: object
                  gitlab:
                    description: configuration for using gitlab as the identity provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  google:
                    description: configuration for using google as the identity provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  linkedin:
                    description: configuration for using linkedin as the identity
                      provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  microsoft:
                    description: configuration for using microsoft as the identity
                      provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                  twitch:
                    description: configuration for using twitch as the identity provider
                    properties:
                      authCheckInterval:
                        description: |-
                          Duration after which ngrok guarantees it will refresh user
                          state from the identity provider and recheck whether the user is still
                          authorized to access the endpoint. This is the preferred tunable to use to
                          enforce a minimum amount of time after which a revoked user will no longer be
                          able to access the resource.
                        format: duration
                        type: string
                      clientId:
                        description: |-
                          the OAuth app client ID. retrieve it from the identity provider's dashboard
                          where you created your own OAuth app. optional. if unspecified, ngrok will use
                          its own managed oauth application which has additional restrictions. see the
                          OAuth module docs for more details. if present, clientSecret must be present as
                          well.
                        type: string
                      clientSecret:
                        description: |-
                          the OAuth app client secret. retrieve if from the identity provider's dashboard
                          where you created your own OAuth app. optional, see all of the caveats in the
                          docs for clientId.
                        properties:
                          key:
                            description: Key in the secret to use
                            type: string
                          name:
                            description: Name of the Kubernetes secret
                            type: string
                        type: object
                      cookiePrefix:
                        description: |-
                          the prefix of the session cookie that ngrok sets on the http client to cache
                          authentication. default is 'ngrok.'
                        type: string
                      emailAddresses:
                        description: |-
                          a list of email addresses of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      emailDomains:
                        description: |-
                          a list of email domains of users authenticated by identity provider who are
                          allowed access to the endpoint
                        items:
                          type: string
                        type: array
                      inactivityTimeout:
                        description: |-
                          Duration of inactivity after which if the user has not accessed
                          the endpoint, their session will time out and they will be forced to
                          reauthenticate.
                        format: duration
                        type: string
                      maximumDuration:
                        description: |-
                          Integer number of seconds of the maximum duration of an authenticated session.
                          After this period is exceeded, a user must reauthenticate.
                        format: duration
                        type: string
                      optionsPassthrough:
                        description: |-
                          Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                          supporting CORS.
                        type: boolean
                      scopes:
                        description: |-
                          a list of provider-specific OAuth scopes with the permissions your OAuth app
                          would like to ask for. these may not be set if you are using the ngrok-managed
                          oauth app (i.e. you must pass both client_id and client_secret to set scopes)
                        items:
                          type: string
                        type: array
                    type: object
                type: object
              oidc:
                description: OIDC configuration for this module set
                properties:
                  clientId:
                    description: The OIDC app's client ID and OIDC audience.
                    type: string
                  clientSecret:
                    description: The OIDC app's client secret.
                    properties:
                      key:
                        description: Key in the secret to use
                        type: string
                      name:
                        description: Name of the Kubernetes secret
                        type: string
                    type: object
                  cookiePrefix:
                    description: |-
                      the prefix of the session cookie that ngrok sets on the http client to cache
                      authentication. default is 'ngrok.'
                    type: string
                  inactivityTimeout:
                    description: |-
                      Duration of inactivity after which if the user has not accessed
                      the endpoint, their session will time out and they will be forced to
                      reauthenticate.
                    format: duration
                    type: string
                  issuer:
                    description: URL of the OIDC "OpenID provider". This is the base
                      URL used for discovery.
                    type: string
                  maximumDuration:
                    description: |-
                      The maximum duration of an authenticated session.
                      After this period is exceeded, a user must reauthenticate.
                    format: duration
                    type: string
                  optionsPassthrough:
                    description: |-
                      Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                      supporting CORS.
                    type: boolean
                  scopes:
                    description: The set of scopes to request from the OIDC identity
                      provider.
                    items:
                      type: string
                    type: array
                type: object
              policy:
                description: Policy configuration for this module set
                properties:
                  enabled:
                    description: Determines if the rule will be applied to traffic
                    type: boolean
                  inbound:
                    description: Inbound traffic rule
                    items:
                      properties:
                        actions:
                          description: Actions
                          items:
                            properties:
                              config:
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                              type:
                                type: string
                            type: object
                          type: array
                        expressions:
                          description: Expressions
                          items:
                            type: string
                          type: array
                        name:
                          description: Name
                          type: string
                      type: object
                    type: array
                  outbound:
                    description: Outbound traffic rule
                    items:
                      properties:
                        actions:
                          description: Actions
                          items:
                            properties:
                              config:
                                type: object
                                x-kubernetes-preserve-unknown-fields: true
                              type:
                                type: string
                            type: object
                          type: array
                        expressions:
                          description: Expressions
                          items:
                            type: string
                          type: array
                        name:
                          description: Name
                          type: string
                      type: object
                    type: array
                type: object
              saml:
                description: SAML configuration for this module set
                properties:
                  allowIdpInitiated:
                    description: |-
                      If true, the IdP may initiate a login directly (e.g. the user does not need to
                      visit the endpoint first and then be redirected). The IdP should set the
                      RelayState parameter to the target URL of the resource they want the user to be
                      redirected to after the SAML login assertion has been processed.
                    type: boolean
                  authorizedGroups:
                    description: |-
                      If present, only users who are a member of one of the listed groups may access
                      the target endpoint.
                    items:
                      type: string
                    type: array
                  cookiePrefix:
                    description: |-
                      the prefix of the session cookie that ngrok sets on the http client to cache
                      authentication. default is 'ngrok.'
                    type: string
                  forceAuthn:
                    description: |-
                      If true, indicates that whenever we redirect a user to the IdP for
                      authentication that the IdP must prompt the user for authentication credentials
                      even if the user already has a valid session with the IdP.
                    type: boolean
                  idpMetadata:
                    description: |-
                      The full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file
                      to download or as a URL.
                    type: string
                  inactivityTimeout:
                    description: |-
                      Duration of inactivity after which if the user has not accessed
                      the endpoint, their session will time out and they will be forced to
                      reauthenticate.
                    format: duration
                    type: string
                  maximumDuration:
                    description: |-
                      The maximum duration of an authenticated session.
                      After this period is exceeded, a user must reauthenticate.
                    format: duration
                    type: string
                  nameidFormat:
                    description: |-
                      Defines the name identifier format the SP expects the IdP to use in its
                      assertions to identify subjects. If unspecified, a default value of
                      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of
                      the allowed values enumerated by the SAML specification are supported.
                    type: string
                  optionsPassthrough:
                    description: |-
                      Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
                      supporting CORS.
                    type: boolean
                type: object
              tlsTermination:
                description: TLSTermination configuration for this module set
                properties:
                  minVersion:
                    description: MinVersion is the minimum TLS version to allow for
                      connections to the edge
                    type: string
                  terminateAt:
                    description: |-
                      TerminateAt determines where the TLS connection should be terminated.
                      "edge" if the ngrok edge should terminate TLS traffic, "upstream" if TLS
                      traffic should be passed through to the upstream ngrok agent /
                      application server for termination.
                    type: string
                type: object
              webhookVerification:
                description: WebhookVerification configuration for this module set
                properties:
                  provider:
                    description: |-
                      a string indicating which webhook provider will be sending webhooks to this
                      endpoint. Value must be one of the supported providers defined at
                      https://ngrok.com/docs/http/webhook-verification/#supported-providers
                    type: string
                  secret:
                    description: |-
                      SecretRef is a reference to a secret containing the secret used to validate
                      requests from the given provider. All providers except AWS SNS require a secret
                    properties:
                      key:
                        description: Key in the secret to use
                        type: string
                      name:
                        description: Name of the Kubernetes secret
                        type: string
                    type: object
                type: object
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tcpedges.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: tcpedges.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: TCPEdge
    listKind: TCPEdgeList
    plural: tcpedges
    singular: tcpedge
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Domain ID
      jsonPath: .status.id
      name: ID
      type: string
    - description: Hostports
      jsonPath: .status.hostports
      name: Hostports
      type: string
    - description: Tunnel Group Backend ID
      jsonPath: .status.backend.id
      name: Backend ID
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: TCPEdge is the Schema for the tcpedges API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: TCPEdgeSpec defines the desired state of TCPEdge
            properties:
              backend:
                description: |-
                  Backend is the definition for the tunnel group backend
                  that serves traffic for this edge
                properties:
                  description:
                    default: Created by kubernetes-ingress-controller
                    description: Description is a human-readable description of the
                      object in the ngrok API/Dashboard
                    type: string
                  labels:
                    additionalProperties:
                      type: string
                    description: Labels to watch for tunnels on this backend
                    type: object
                  metadata:
                    default: '{"owned-by":"kubernetes-ingress-controller"}'
                    description: Metadata is a string of arbitrary data associated
                      with the object in the ngrok API/Dashboard
                    type: string
                type: object
              description:
                default: Created by kubernetes-ingress-controller
                description: Description is a human-readable description of the object
                  in the ngrok API/Dashboard
                type: string
              ipRestriction:
                description: IPRestriction is an IPRestriction to apply to this edge
                properties:
                  policies:
                    items:
                      type: string
                    type: array
                type: object
              metadata:
                default: '{"owned-by":"kubernetes-ingress-controller"}'
                description: Metadata is a string of arbitrary data associated with
                  the object in the ngrok API/Dashboard
                type: string
              policy:
                description: raw json policy string that was applied to the ngrok
                  API
                type: object
                x-kubernetes-preserve-unknown-fields: true
            type: object
          status:
            description: TCPEdgeStatus defines the observed state of TCPEdge
            properties:
              backend:
                description: |-
                  Backend stores the status of the tunnel group backend,
                  mainly the ID of the backend
                properties:
                  id:
                    description: ID is the unique identifier for this backend
                    type: string
                type: object
              hostports:
                description: Hostports served by this edge
                items:
                  type: string
                type: array
              id:
                description: ID is the unique identifier for this edge
                type: string
              uri:
                description: URI is the URI of the edge
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tlsedges.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: tlsedges.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: TLSEdge
    listKind: TLSEdgeList
    plural: tlsedges
    singular: tlsedge
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Domain ID
      jsonPath: .status.id
      name: ID
      type: string
    - description: Hostports
      jsonPath: .status.hostports
      name: Hostports
      type: string
    - description: Tunnel Group Backend ID
      jsonPath: .status.backend.id
      name: Backend ID
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: TLSEdge is the Schema for the tlsedges API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: TLSEdgeSpec defines the desired state of TLSEdge
            properties:
              backend:
                description: |-
                  Backend is the definition for the tunnel group backend
                  that serves traffic for this edge
                properties:
                  description:
                    default: Created by kubernetes-ingress-controller
                    description: Description is a human-readable description of the
                      object in the ngrok API/Dashboard
                    type: string
                  labels:
                    additionalProperties:
                      type: string
                    description: Labels to watch for tunnels on this backend
                    type: object
                  metadata:
                    default: '{"owned-by":"kubernetes-ingress-controller"}'
                    description: Metadata is a string of arbitrary data associated
                      with the object in the ngrok API/Dashboard
                    type: string
                type: object
              description:
                default: Created by kubernetes-ingress-controller
                description: Description is a human-readable description of the object
                  in the ngrok API/Dashboard
                type: string
              hostports:
                description: Hostports is a list of hostports served by this edge
                items:
                  type: string
                type: array
              ipRestriction:
                description: IPRestriction is an IPRestriction to apply to this edge
                properties:
                  policies:
                    items:
                      type: string
                    type: array
                type: object
              metadata:
                default: '{"owned-by":"kubernetes-ingress-controller"}'
                description: Metadata is a string of arbitrary data associated with
                  the object in the ngrok API/Dashboard
                type: string
              mutualTls:
                properties:
                  certificateAuthorities:
                    description: |-
                      List of CA IDs that will be used to validate incoming connections to the
                      edge.
                    items:
                      type: string
                    type: array
                type: object
              policy:
                description: raw json policy string that was applied to the ngrok
                  API
                type: object
                x-kubernetes-preserve-unknown-fields: true
              tlsTermination:
                properties:
                  minVersion:
                    description: MinVersion is the minimum TLS version to allow for
                      connections to the edge
                    type: string
                  terminateAt:
                    description: |-
                      TerminateAt determines where the TLS connection should be terminated.
                      "edge" if the ngrok edge should terminate TLS traffic, "upstream" if TLS
                      traffic should be passed through to the upstream ngrok agent /
                      application server for termination.
                    type: string
                type: object
            type: object
          status:
            description: TLSEdgeStatus defines the observed state of TLSEdge
            properties:
              backend:
                description: |-
                  Backend stores the status of the tunnel group backend,
                  mainly the ID of the backend
                properties:
                  id:
                    description: ID is the unique identifier for this backend
                    type: string
                type: object
              cnameTargets:
                additionalProperties:
                  type: string
                description: Map of hostports to the ngrok assigned CNAME targets
                type: object
              hostports:
                description: Hostports served by this edge
                items:
                  type: string
                type: array
              id:
                description: ID is the unique identifier for this edge
                type: string
              uri:
                description: URI is the URI of the edge
                type: string
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ingress.k8s.ngrok.com_tunnels.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: tunnels.ingress.k8s.ngrok.com
spec:
  group: ingress.k8s.ngrok.com
  names:
    kind: Tunnel
    listKind: TunnelList
    plural: tunnels
    singular: tunnel
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Service/port to forward to
      jsonPath: .spec.forwardsTo
      name: ForwardsTo
      type: string
    - description: Age
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: Tunnel is the Schema for the tunnels API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: TunnelSpec defines the desired state of Tunnel
            properties:
              appProtocol:
                description: The appProtocol for the backend. Currently only supports
                  `http2`
                type: string
              backend:
                description: The configuration for backend connections to services
                properties:
                  protocol:
                    type: string
                type: object
              forwardsTo:
                description: ForwardsTo is the name and port of the service to forward
                  traffic to
                type: string
              labels:
                additionalProperties:
                  type: string
                description: Labels are key/value pairs that are attached to the tunnel
                type: object
            type: object
          status:
            description: TunnelStatus defines the observed state of Tunnel
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/crds/ngrok.k8s.ngrok.com_ngroktrafficpolicies.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: ngroktrafficpolicies.ngrok.k8s.ngrok.com
spec:
  group: ngrok.k8s.ngrok.com
  names:
    kind: NgrokTrafficPolicy
    listKind: NgrokTrafficPolicyList
    plural: ngroktrafficpolicies
    singular: ngroktrafficpolicy
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: NgrokTrafficPolicy is the Schema for the ngroktrafficpolicies
          API
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: NgrokTrafficPolicySpec defines the desired state of NgrokTrafficPolicy
            properties:
              policy:
                description: The raw json encoded policy that was applied to the ngrok
                  API
                type: object
                x-kubernetes-preserve-unknown-fields: true
            type: object
          status:
            description: NgrokTrafficPolicyStatus defines the observed state of NgrokTrafficPolicy
            properties:
              policy:
                description: The raw json encoded policy that was applied to the ngrok
                  API
                type: object
                x-kubernetes-preserve-unknown-fields: true
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
# Source: kubernetes-ingress-controller/templates/controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ngrok-ingress-controller-proxy-role
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
---
# Source: kubernetes-ingress-controller/templates/rbac/domain_editor_role.yaml
# permissions for end users to edit domains.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: rbac
  name: ngrok-ingress-controller-kubernetes-ingress-controller-domain-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/domain_viewer_role.yaml
# permissions for end users to view domains.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: rbac
  name: ngrok-ingress-controller-kubernetes-ingress-controller-domain-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/httpsedge_editor_role.yaml
# permissions for end users to edit httpsedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: httpsedge-editor-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: httpsedge-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/httpsedge_viewer_role.yaml
# permissions for end users to view httpsedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: httpsedge-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: httpsedge-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/ippolicy_editor_role.yaml
# permissions for end users to edit ippolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: ippolicy-editor-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: ippolicy-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/ippolicy_viewer_role.yaml
# permissions for end users to view ippolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: ippolicy-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: ippolicy-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/ngrokmoduleset_editor_role.yaml
# permissions for end users to edit ngrokmodulesets.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: ngrokmoduleset-editor-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: kubernetes-ingress-controller
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: ngrokmoduleset-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ngrokmodulesets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ngrokmodulesets/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/ngrokmoduleset_viewer_role.yaml
# permissions for end users to view ngrokmodulesets.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: ngrokmoduleset-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: kubernetes-ingress-controller
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: ngrokmoduleset-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ngrokmodulesets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ngrokmodulesets/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ngrok-ingress-controller-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses/status
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gateways
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gateways/status
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - httproutes
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - httproutes/status
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - domains/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - httpsedges/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ippolicies/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - ngrokmodulesets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels/finalizers
  verbs:
  - update
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - ngrok.k8s.ngrok.com
  resources:
  - ngroktrafficpolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ngrok.k8s.ngrok.com
  resources:
  - ngroktrafficpolicies/finalizers
  verbs:
  - update
- apiGroups:
  - ngrok.k8s.ngrok.com
  resources:
  - ngroktrafficpolicies/status
  verbs:
  - get
  - patch
  - update
---
# Source: kubernetes-ingress-controller/templates/rbac/tcpedge_editor_role.yaml
# permissions for end users to edit tcpedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: tcpedge-editor-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: tcpedge-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/tcpedge_viewer_role.yaml
# permissions for end users to view tcpedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: tcpedge-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: tcpedge-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tcpedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/tlsedge_editor_role.yaml
# permissions for end users to edit tlsedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: tlsedge-editor-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: tlsedge-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/tlsedge_viewer_role.yaml
# permissions for end users to view tlsedges.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: clusterrole
    app.kubernetes.io/instance: tlsedge-viewer-role
    app.kubernetes.io/component: rbac
    app.kubernetes.io/created-by: ngrok-ingress-controller
    app.kubernetes.io/part-of: ngrok-ingress-controller
    app.kubernetes.io/managed-by: kustomize
  name: tlsedge-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tlsedges/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/tunnel_editor_role.yaml
# permissions for end users to edit tunnels.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: rbac
  name: ngrok-ingress-controller-kubernetes-ingress-controller-tunnel-editor-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/rbac/tunnel_viewer_role.yaml
# permissions for end users to view tunnels.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: rbac
  name: ngrok-ingress-controller-kubernetes-ingress-controller-tunnel-viewer-role
rules:
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ingress.k8s.ngrok.com
  resources:
  - tunnels/status
  verbs:
  - get
---
# Source: kubernetes-ingress-controller/templates/controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ngrok-ingress-controller-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ngrok-ingress-controller-manager-role
subjects:
- kind: ServiceAccount
  name: ngrok-ingress-controller-kubernetes-ingress-controller
  namespace: ngrok-ingress-controller
---
# Source: kubernetes-ingress-controller/templates/controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ngrok-ingress-controller-proxy-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ngrok-ingress-controller-proxy-role
subjects:
- kind: ServiceAccount
  name: ngrok-ingress-controller-kubernetes-ingress-controller
  namespace: ngrok-ingress-controller
---
# Source: kubernetes-ingress-controller/templates/controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ngrok-ingress-controller-leader-election-role
  namespace: ngrok-ingress-controller
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
---
# Source: kubernetes-ingress-controller/templates/controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ngrok-ingress-controller-leader-election-rolebinding
  namespace: ngrok-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ngrok-ingress-controller-leader-election-role
subjects:
- kind: ServiceAccount
  name: ngrok-ingress-controller-kubernetes-ingress-controller
  namespace: ngrok-ingress-controller
---
# Source: kubernetes-ingress-controller/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ngrok-ingress-controller-kubernetes-ingress-controller-manager
  namespace: ngrok-ingress-controller
  annotations:
    checksum/controller-role: 7a410be28b1592797fe68e262cc5a7c24a8c3c6aaff67b396203315b701818e7
    checksum/rbac: f91fd21c0e331efb3c41a4551b81ba429616fbf9bb3079c64e0284a7612ca47b
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: kubernetes-ingress-controller
      app.kubernetes.io/instance: ngrok-ingress-controller
      app.kubernetes.io/component: controller
  template:
    metadata:
      annotations:
        prometheus.io/path: /metrics
        prometheus.io/port: '8080'
        prometheus.io/scrape: 'true'
        checksum/controller-role: 7a410be28b1592797fe68e262cc5a7c24a8c3c6aaff67b396203315b701818e7
        checksum/rbac: f91fd21c0e331efb3c41a4551b81ba429616fbf9bb3079c64e0284a7612ca47b
        checksum/secret: 283e53865ad5f9d238d51716535c045f767c31a318c95c28af579c045680959e
      labels:
        app.kubernetes.io/name: kubernetes-ingress-controller
        app.kubernetes.io/instance: ngrok-ingress-controller
        app.kubernetes.io/component: controller
    spec:
      affinity:
        podAffinity:

        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/instance: ngrok-ingress-controller
                    app.kubernetes.io/name: kubernetes-ingress-controller
                    app.kubernetes.io/component: controller
                topologyKey: kubernetes.io/hostname
              weight: 1
        nodeAffinity:

      serviceAccountName: ngrok-ingress-controller-kubernetes-ingress-controller
      containers:
      - name: ngrok-ingress-controller
        image: docker.io/ngrok/kubernetes-ingress-controller:0.12.1
        imagePullPolicy: IfNotPresent
        command:
        - /manager
        args:
        - --controller-name=k8s.ngrok.com/ingress-controller
        - --zap-log-level=info
        - --zap-stacktrace-level=error
        - --zap-encoder=json
        - --health-probe-bind-address=:8081
        - --metrics-bind-address=:8080
        - --election-id=ngrok-ingress-controller-kubernetes-ingress-controller-leader
        - --manager-name=ngrok-ingress-controller-kubernetes-ingress-controller-manager
        securityContext:
          allowPrivilegeEscalation: false
        env:
        - name: NGROK_API_KEY
          valueFrom:
            secretKeyRef:
              key: API_KEY
              name: ngrok-ingress-controller-kubernetes-ingress-controller-credentials
        - name: NGROK_AUTHTOKEN
          valueFrom:
            secretKeyRef:
              key: AUTHTOKEN
              name: ngrok-ingress-controller-kubernetes-ingress-controller-credentials
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
        readinessProbe:
          httpGet:
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
        resources:
          limits: {}
          requests: {}
---
# Source: kubernetes-ingress-controller/templates/ingress-class.yaml
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    helm.sh/chart: kubernetes-ingress-controller-0.14.1
    app.kubernetes.io/name: kubernetes-ingress-controller
    app.kubernetes.io/instance: ngrok-ingress-controller
    app.kubernetes.io/version: "0.12.1"
    app.kubernetes.io/part-of: kubernetes-ingress-controller
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ngrok
spec:
  controller: k8s.ngrok.com/ingress-controller

NOTES:
================================================================================
The ngrok Ingress controller has been deployed as a Deployment type to your
cluster.

If you haven't yet, create some Ingress resources in your cluster and they will
be automatically configured on the internet using ngrok.

One example, taken from your cluster, is the Service:
   "game-2048"

You can make this accessible via ngrok with the following manifest:
--------------------------------------------------------------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: game-2048
  namespace: ngrok-ingress-controller
spec:
  ingressClassName: ngrok
  rules:
  - host: game-2048-fu3zm54o.ngrok.app
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: game-2048
            port:
              number: 80
--------------------------------------------------------------------------------
Applying this manifest will make the service "game-2048"
available on the public internet at "https://game-2048-fu3zm54o.ngrok.app/".

Once done, view your edges in the Dashboard https://dashboard.ngrok.com/cloud-edge/edges
Find the tunnels running in your cluster here https://dashboard.ngrok.com/tunnels/agents

If you have any questions or feedback, please join us in https://ngrok.com/slack and let us know!

@jonstacks
Copy link
Collaborator

The logs look quite normal to me. I tried re-creating as close as possible but I haven't had any luck with it yet.

  1. kind create cluster --image=kindest/node:v1.30.3
  2. Similar output to what you have above when running helm install:
helm-3.15.4 upgrade --install ngrok-ingress-controller ngrok/kubernetes-ingress-controller \                                                           
  --debug --namespace ngrok-ingress-controller \
  --create-namespace \
  --set credentials.apiKey=$NGROK_API_KEY \
  --set credentials.authtoken=$NGROK_AUTHTOKEN
  1. Trying to get the tunnels just says no resources
kubectl get tunnels
No resources found in default namespace

The only other thing I would try is to confirm that the CRDs did get installed like so:

kubectl get customresourcedefinitions.apiextensions.k8s.io | grep "ngrok"

You should see something like this:

domains.ingress.k8s.ngrok.com              2024-08-27T04:52:14Z
httpsedges.ingress.k8s.ngrok.com           2024-08-27T04:52:14Z
ippolicies.ingress.k8s.ngrok.com           2024-08-27T04:52:14Z
ngrokmodulesets.ingress.k8s.ngrok.com      2024-08-27T04:52:14Z
ngroktrafficpolicies.ngrok.k8s.ngrok.com   2024-08-27T04:52:14Z
tcpedges.ingress.k8s.ngrok.com             2024-08-27T04:52:14Z
tlsedges.ingress.k8s.ngrok.com             2024-08-27T04:52:14Z
tunnels.ingress.k8s.ngrok.com              2024-08-27T04:52:14Z

@jonstacks
Copy link
Collaborator

@ricardosilva86, I added a github actions pipeline to test this with different k8s & helm versions using kind, but still haven't been able to recreate.

If you can find a way to repro the issue though, let us know and we'll keep looking into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/helm-chart Issues dealing with the helm chart bug Something isn't working needs-repro
Projects
None yet
Development

No branches or pull requests

9 participants
@jonstacks @ricardosilva86 and others