Depending on the number of clusters in your configuration, you may decide to have a monitoring system on the same cluster as workloads,
+or in a separate cluster completely.
+Below are 2 example architectures based on the single cluster and multi cluster layouts.
+In the single cluster architecture, the collector components (Prometheus, Vector and Tempo) are in the same cluster as the log aggregation (Loki) and visualisation component (Grafana).
+
+
In the multi cluster architecture, the collectors that scrape metrics or logs (Prometheus & Vector) are deployed alongside the workloads in each cluster.
+However, as traces are sent to a collector (Tempo) from each component, it can be centralised in a separate cluster.
+Thanos is used in this architecutre so that each prometheus can federate metrics back to a central location.
+The log collector (vector) can forward logs to a central loki instance.
+Finally, the visualisation component (Grafana) is centralised as well, with data sources configured for each of the 3 components on the same cluster.
The attributes provide the key and value we need in order to understand how to define records for a given LB address based on the DNSPolicy targeting the gateway.
The kuadrant.io/lb-attribute-geo-code attribute value is provider specific, using an invalid code will result in an error status condition in the DNSrecord resource.
Custom weighting will use the associated custom-weight attribute set on the ManagedCluster to decide which records should get a specific weight. The value of this attribute is up to the end user.
An alternative is to configure all of this yourself manually in a dns provider. This is can be a highly complex dns configuration that it would be easy to get wrong.
+
An alternative is to configure all of this yourself manually in a dns provider. This can be a highly complex dns configuration that it would be easy to get wrong.
A ManagedZone is a reference to a DNS zone.
-By creating a ManagedZone we are instructing the MGC about a domain or subdomain that can be used as a host by any gateways in the same namespace.
-These gateways can use a subdomain of the ManagedZone.
-
If a gateway attempts to a use a domain as a host, and there is no matching ManagedZone for that host, then that host on that gateway will fail to function.
-
A gateway's host will be matched to any ManagedZone that the host is a subdomain of, i.e. test.api.hcpapps.net will be matched by any ManagedZone (in the same namespace) of: test.api.hcpapps.net, api.hcpapps.net or hcpapps.net.
-
When MGC wants to create the DNS Records for a host, it will create them in the most exactly matching ManagedZone.
-e.g. given the zones hcpapps.net and api.hcpapps.net the DNS Records for the host test.api.hcpapps.net will be created in the api.hcpapps.net zone.
Delegation allows you to give control of a subdomain of a root domain to MGC while the root domain has it's DNS zone elsewhere.
-
In the scenario where a root domain has a zone outside Route53, e.g. external.com, and a ManagedZone for delegated.external.com is required, the following steps can be taken:
Allow additional stateful information about Gateway API resources to be made available via metrics.
+Currently a set of metrics are made available via the gateway-api-state-metrics project.
+However, there are limitations with what resource information can be exposed using the underlying kube-state-metrics project.
+Additional stateful information would include:
-
Create the ManagedZone for delegated.external.com and wait until the status is updated with an array of nameservers (e.g. ns1.hcpapps.net, ns2.hcpapps.net).
-
Copy these nameservers to your root zone for external.com, you can create a NS record for each nameserver against the delegated.external.com record.
+
Individual listener status within a Gateway
+
HTTPRoute status
-
For example:
-
delegated.external.com. 3600 IN NS ns1.hcpapps.net.
-delegated.external.com. 3600 IN NS ns2.hcpapps.net.
-
-
Now, when MGC creates a DNS record in it's Route53 zone for delegated.external.com, it will be resolved correctly.
To create a ManagedZone, you will first need to create a DNS provider Secret. To create one, see our DNS Provider setup guide, and make note of your provider's secret name.
First, implement the existing Gateway API metrics that are part of the gateway-api-state-metrics project.
+This will allow the new prometheus exporter to replace that project as a whole.
+The metrics will be backwards compatible with the gateway-api-state-metrics project, with the addition of new metrics.
+
Second, implement new metrics, as per the examples below, to capture the additional status information:
The ManagedZone is a simple resource with an uncomplicated API, see a sample here.
+This metric captures the status condition types of individual listeners in a Gateway.
+It will allow the status of individual named listeners to be queried, graphed and alerted on via metrics.
+The health status of listeners can then be visualised in a stat panel in Grafana, showing healthy and unhealthy listeners.
+This expands the debugging path beyond just the overall health of a Gateway.
+
+This metric captures the condition types for each parent of a HTTPRoute.
+The type field would also record any custom types set by a controller. For example, kuadrant.io/AuthPolicyAffected and kuadrant.io/RateLimitPolicyAffected.
+This will allow the health of HTTPRoutes to be reported via metrics. A HTTPRoute that has an type of Accepted and value of 1 means the HTTPRoute is accepted by the Gateway and can be considered healthy.
+It will also allow policy specific information about a HTTPRoute to be represented in metrics.
+For example, alerting on any HTTPRoutes that don't have the kuadrant.io/AuthPolicyAffected type with a value of 1 i.e. HTTPRoutes without an AuthPolicy.
+
Tests will be added directly to the project in a similar manner to the redis-exporter.
+The test environment will bring up a kind cluster, create the Gateway API CRDs, example Gateway & HTTPRoute resources, then test the scrape endpoint.
+This will be the same as how metrics are tested for the gateway-api-state-metrics project.
+There is a separate test function for each resource.
+
Existing example dashboards in the gateway-api-state-metrics project will be copied over to the exporter project and continue to work as before.
+However, initially it will just be the Gateway, GatewayClass and HTTPRoute dashboards as those will be the metrics that are implemented first.
The exporter will be written in golang and follow the guidelines from https://prometheus.io/docs/instrumenting/writing_exporters/.
+Other exporters like the https://github.com/prometheus/node_exporter/tree/master and https://github.com/oliver006/redis_exporter will be referenced for patterns and library usage.
+Metrics will only be pulled from the kubernetes API when Prometheus scrapes them.
+That is, the exporter will not perform scrapes based on its own timers.
+All scrapes will be synchronous.
+
The client-go library will be used for all kubernetes API calls.
+As the number of Gateways and HTTPRoutes could vary greatly, there is a performance consideration with these API calls if there are a lot of resources.
+To allow for this, a single list of all resources of a kind will used rather than 1 by 1.
+If in future there are issues with performance, there is an option to cache responses to expensive queries.
+
A 'gateway_metrics_up` metric will be included, as per https://prometheus.io/docs/instrumenting/writing_exporters/#failed-scrapes
+such that the exporter can continue to respond in a standard way if there are issues with some aspects of scraping.
+The scrape response should include all metrics that have information available at that time of scraping.
In theory it should be possible to get the desired functionality from the kube-state-metrics project if the proposed change in https://github.com/kubernetes/kube-state-metrics/pull/2059 is accepted and subsequently implemented.
+However, that proposal has been open since May 2023.
+I have ruled out the possibility of helping with the implementation of this change in that project due to:
+
+
lack of detailed knowledge of the current implementation of selectors in kube-state-metrics
+
potential complexity of implementing generic CEL support in that project
+
it not being core to the Kuadrant project goals, combined with the ongoing maintenance commitment after implementation. It wouldn't be fair to land the change we need without following up on maintenance after
+
+
The proposed design is a more focused solution on the needs of the Kuadrant project from Gateway API resources in the form of metrics.
+There are plenty of examples of exporters out there that we can reference and follow established patterns.
+
If we don't make this change, we are limited to having just the overall Gateway status available via metrics,
+and no HTTPRoute status information on which we can visualise and alert.
The primary prior art are the kube-state-metrics project, and the gateway-api-state-metrics projects.
+The gateway-api-state-metrics project uses the CustomResourceStateMetrics configuration feature of kube-state-metrics to configure what fields in which resources should be made available via metrics.
Although this exporter is intended to replace the gateway-api-state-metrics project,
+it will likely take a phased approach to get to that point.
+The initial goal is to get 'like for like' functionality from a Kuadrant project point of view (Gateways, GatewayClasses and HTTPRoutes),
+followed by the new status functionality as detailed in this RFC.
+Other resources, such as TLSRoute, UDPRoute etc.. can be added later.
diff --git a/dev/multicluster-gateway-controller/docs/proposals/index.html b/dev/architecture/rfcs/dns-policy-api-changes/index.html
similarity index 81%
rename from dev/multicluster-gateway-controller/docs/proposals/index.html
rename to dev/architecture/rfcs/dns-policy-api-changes/index.html
index d5d7979f..d818189b 100644
--- a/dev/multicluster-gateway-controller/docs/proposals/index.html
+++ b/dev/architecture/rfcs/dns-policy-api-changes/index.html
@@ -8,7 +8,7 @@
-
+
@@ -18,7 +18,7 @@
- Index - Kuadrant Documentation
+ RFC DNSPolicy v1 changes and improvements - Kuadrant Documentation
@@ -62,7 +62,7 @@
This directory contains proposals accepted into the MGC. The template for add a proposal is located in this directory. Make a copy of the template and use it to define your own proposal.
We want to simplify and improve the DNSPolicy API and remove some of the legacy structures that have hung on since its original inception, as this involves some breaking changes we want these before we create a v1 API.
+
Weighting and GEO attributes:
+
The loadbalancing options we provide were first designed as part of an API that was intended to work with OCM (open cluster management). This provided multiple views of gateways across multiple clusters. So in order to understand the GEO context or individual weighing needed for a given cluster, we needed that context applying separately from the DNSPolicy spec that for legacy reasons targeted a "template" Gateway in the hub cluster.
+
Now DNSPolicy is created on the same cluster as the actual Gateway and we do not use OCM or hub clusters, the need to label individual objects and Gateways with specific annotations and labels is now redundant and makes for a more complex and awkward API interaction.
+
routingStrategy:
+
We have also identified that the routingStrategy option in the DNSPolicy spec is redundant. When added we expected there to be more than two strategies. This has not emerged and so it is another awkward piece of the API that is not needed.
You will no longer need to apply labels to Gateways in order to specify the GEO or Weighting for that Gateway. The policy targets a given Gateway and you will now just specify those values in the policy spec directly.
+
You will no longer need to specify what routingStrategy you want to use. Instead you will either specify a loadbalancing section (meaning it is a loadbalanced strategy) or you will leave it empty (meaning it has no loadbalancing).
Below is an example of what is currently needed to setup GEO and Custom Weighting with the existing API
+
apiVersion: kuadrant.io/v1alpha1
+kind: DNSPolicy
+metadata:
+ name: prod-web
+ namespace: ingress-gateway
+spec:
+ targetRef:
+ name: prod-web
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ routingStrategy: loabalanced
+ loadBalancing:
+ weighted:
+ defaultWeight: 120
+ custom: # <--- New Custom Weights being added
+
+ - weight: 255
+ selector:
+ matchLabels:
+ kuadrant.io/lb-attribute-custom-weight: AWS # slects gateways to apply it to (when there can only be one)
+ geo:
+ defaultGeo: US #catch all geo
+
+So here to apply a custom weighting, you have to specify the weighting under the custom section and then apply the kuadrant.io/lb-attribute-custom-weight: AWS label to the gateway that is already being targeted by the policy.
+
To change the GEO for the targeted cluster, you need to apply a different label to the gateway: kuadrant.io/lb-attribute-geo-code: EU for example.
+
On top of this you also have to specify that it is a load balanced DNSPolicy even though you have specified a load balancing section.
+
This is an awkward and disconnected API that evolved from the legacy requirements called out above.
+
Instead the new API to achieve the same goal will be:
+
apiVersion: kuadrant.io/v1alpha1
+kind: DNSPolicy
+metadata:
+ name: prod-web
+ namespace: ingress-gateway
+spec:
+ targetRef:
+ name: prod-web
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ loadBalancing:
+ weight: 100 #weight for listeners targeted
+ geo: US # geo for listeners targeted
+ defaultGEO: true # should this be consisdered the default GEO for the listener hosts
+ providerRefs:
+
+ - name: aws-credential-secret
+
+
So no longer do you need to specify whether the policy is a load balanced one or not via the redundant routingStrategy field
+
Now you simplify specify the weight you want to use for the listeners in the gateway, the geo you want to use and whether it should be used as a default GEO or not (this is used by some cloud providers as a catch-all option if a user from a none specified GEO does a DNS lookup.). Each of the fields under "loadbalancing" will now be required.
+
From an implementation perspective, all changes will happen in the Kuadarant Operator, where it will no longer look for the attribute labels on the gateways but instead will simply use the spec of the DNSPolicy. The resulting DNSRecord will not change in structure.
+
To setup a simple DNS structure (single A or CNAME record), the API would now look like:
These are breaking changes and we are about to move to v1. Changes like these should land pre v1. These changes provide a much simpler and better user experience.
Tip: Deploy a custom image of the Operator
To deploy an image of the Operator other than the default quay.io/kuadrant/authorino-operator:latest, specify by setting the OPERATOR_IMAGE parameter. E.g.:
-
If you are interested in contributing to Authorino, please refer to the Developer's guide for info about the stack and requirements, workflow, policies and Code of Conduct.
Join us on the #kuadrant channel in the Kubernetes Slack workspace, for live discussions about the roadmap and more.
diff --git a/dev/authorino/install/crd/authorino.kuadrant.io_authconfigs.yaml b/dev/authorino/install/crd/authorino.kuadrant.io_authconfigs.yaml
index 800f877a..84a61661 100644
--- a/dev/authorino/install/crd/authorino.kuadrant.io_authconfigs.yaml
+++ b/dev/authorino/install/crd/authorino.kuadrant.io_authconfigs.yaml
@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.9.0
- creationTimestamp: null
+ controller-gen.kubebuilder.io/version: v0.15.0
name: authconfigs.authorino.kuadrant.io
spec:
group: authorino.kuadrant.io
@@ -55,14 +54,19 @@ spec:
description: AuthConfig is the schema for Authorino's AuthConfig API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -72,13 +76,13 @@ spec:
service hosts.
properties:
authorization:
- description: Authorization is the list of authorization policies.
- All policies in this list MUST evaluate to "true" for a request
- be successful in the authorization phase.
+ description: |-
+ Authorization is the list of authorization policies.
+ All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase.
items:
- description: 'Authorization policy to be enforced. Apart from "name",
- one of the following parameters is required and only one of the
- following parameters is allowed: "opa", "json" or "kubernetes".'
+ description: |-
+ Authorization policy to be enforced.
+ Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".
properties:
authzed:
description: Authzed authorization
@@ -101,15 +105,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -130,17 +131,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -157,17 +153,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -206,17 +197,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -233,17 +219,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -252,14 +233,14 @@ spec:
- endpoint
type: object
cache:
- description: Caching options for the policy evaluation results
- when enforcing this config. Omit it to avoid caching policy
- evaluation results for this config.
+ description: |-
+ Caching options for the policy evaluation results when enforcing this config.
+ Omit it to avoid caching policy evaluation results for this config.
properties:
key:
- description: Key used to store the entry in the cache. Cache
- entries from different metadata configs are stored and
- managed separately regardless of the key.
+ description: |-
+ Key used to store the entry in the cache.
+ Cache entries from different metadata configs are stored and managed separately regardless of the key.
properties:
value:
description: Static value
@@ -268,15 +249,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -311,12 +289,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to
- the content fetched from the authorization JSON,
- for comparison with "value". Possible values are:
- "eq" (equal to), "neq" (not equal to), "incl" (includes;
- for arrays), "excl" (excludes; for arrays), "matches"
- (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -328,16 +303,14 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input
- authorization JSON built by Authorino along the
- identity and metadata phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization
- JSON. If used with the "matches" operator, the value
- must compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -345,7 +318,8 @@ spec:
- rules
type: object
kubernetes:
- description: Kubernetes authorization policy based on `SubjectAccessReview`
+ description: |-
+ Kubernetes authorization policy based on `SubjectAccessReview`
Path and Verb are inferred from the request.
properties:
groups:
@@ -354,10 +328,9 @@ spec:
type: string
type: array
resourceAttributes:
- description: Use ResourceAttributes for checking permissions
- on Kubernetes resources If omitted, it performs a non-resource
- `SubjectAccessReview`, with verb and path inferred from
- the request.
+ description: |-
+ Use ResourceAttributes for checking permissions on Kubernetes resources
+ If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request.
properties:
group:
description: StaticOrDynamicValue is either a constant
@@ -372,17 +345,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -399,17 +367,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -426,17 +389,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -453,17 +411,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -480,17 +433,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -507,25 +455,20 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from
- the authorization JSON. It can be any path
- pattern to fetch from the authorization JSON
- (e.g. ''context.request.http.host'') or a
- string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
type: object
user:
- description: User to test for. If without "Groups", then
- is it interpreted as "What if User were not a member of
- any groups"
+ description: |-
+ User to test for.
+ If without "Groups", then is it interpreted as "What if User were not a member of any groups"
properties:
value:
description: Static value
@@ -534,15 +477,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -555,30 +495,27 @@ spec:
individual observability metrics
type: boolean
name:
- description: Name of the authorization policy. It can be used
- to refer to the resolved authorization object in other configs.
+ description: |-
+ Name of the authorization policy.
+ It can be used to refer to the resolved authorization object in other configs.
type: string
opa:
description: Open Policy Agent (OPA) authorization policy.
properties:
allValues:
default: false
- description: Returns the value of all Rego rules in the
- virtual document. Values can be read in subsequent evaluators/phases
- of the Auth Pipeline. Otherwise, only the default `allow`
- rule will be exposed. Returning all Rego rules can affect
- performance of OPA policies during reconciliation (policy
- precompile) and at runtime.
+ description: |-
+ Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline.
+ Otherwise, only the default `allow` rule will be exposed.
+ Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime.
type: boolean
externalRegistry:
description: External registry of OPA policies.
properties:
credentials:
- description: Defines where client credentials will be
- passed in the request to the service. If omitted,
- it defaults to client credentials passed in the HTTP
- Authorization header and the "Bearer" prefix expected
- prepended to the secret value.
+ description: |-
+ Defines where client credentials will be passed in the request to the service.
+ If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value.
properties:
in:
default: authorization_header
@@ -592,32 +529,24 @@ spec:
- cookie
type: string
keySelector:
- description: Used in conjunction with the `in` parameter.
- When used with `authorization_header`, the value
- is the prefix of the client credentials string,
- separated by a white-space, in the HTTP Authorization
- header (e.g. "Bearer", "Basic"). When used with
- `custom_header`, `query` or `cookie`, the value
- is the name of the HTTP header, query string parameter
- or cookie key, respectively.
+ description: |-
+ Used in conjunction with the `in` parameter.
+ When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic").
+ When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively.
type: string
required:
- keySelector
type: object
endpoint:
- description: Endpoint of the HTTP external registry.
- The endpoint must respond with either plain/text or
- application/json content-type. In the latter case,
- the JSON returned in the body must include a path
- `result.raw`, where the raw Rego policy will be extracted
- from. This complies with the specification of the
- OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy).
+ description: |-
+ Endpoint of the HTTP external registry.
+ The endpoint must respond with either plain/text or application/json content-type.
+ In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy).
type: string
sharedSecretRef:
- description: Reference to a Secret key whose value will
- be passed by Authorino in the request. The HTTP service
- can use the shared secret to authenticate the origin
- of the request.
+ description: |-
+ Reference to a Secret key whose value will be passed by Authorino in the request.
+ The HTTP service can use the shared secret to authenticate the origin of the request.
properties:
key:
description: The key of the secret to select from. Must
@@ -637,24 +566,23 @@ spec:
type: integer
type: object
inlineRego:
- description: Authorization policy as a Rego language document.
- The Rego document must include the "allow" condition,
- set by Authorino to "false" by default (i.e. requests
- are unauthorized unless changed). The Rego document must
- NOT include the "package" declaration in line 1.
+ description: |-
+ Authorization policy as a Rego language document.
+ The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed).
+ The Rego document must NOT include the "package" declaration in line 1.
type: string
type: object
priority:
default: 0
- description: Priority group of the config. All configs in the
- same priority group are evaluated concurrently; consecutive
- priority groups are evaluated sequentially.
+ description: |-
+ Priority group of the config.
+ All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
type: integer
when:
- description: Conditions for Authorino to enforce this authorization
- policy. If omitted, the config will be enforced for all requests.
- If present, all conditions must match for the config to be
- enforced; otherwise, the config will be skipped.
+ description: |-
+ Conditions for Authorino to enforce this authorization policy.
+ If omitted, the config will be enforced for all requests.
+ If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
items:
properties:
all:
@@ -672,11 +600,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to the
- content fetched from the authorization JSON, for comparison
- with "value". Possible values are: "eq" (equal to),
- "neq" (not equal to), "incl" (includes; for arrays),
- "excl" (excludes; for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -688,16 +614,14 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization JSON.
- If used with the "matches" operator, the value must
- compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -706,8 +630,9 @@ spec:
type: object
type: array
callbacks:
- description: List of callback configs. Authorino sends callbacks to
- specified endpoints at the end of the auth pipeline.
+ description: |-
+ List of callback configs.
+ Authorino sends callbacks to specified endpoints at the end of the auth pipeline.
items:
description: Endpoints to callback at the end of each auth pipeline.
properties:
@@ -716,10 +641,10 @@ spec:
metadata from a HTTP service.
properties:
body:
- description: Raw body of the HTTP request. Supersedes 'bodyParameters';
- use either one or the other. Use it with method=POST;
- for GET requests, set parameters as query string in the
- 'endpoint' (placeholders can be used).
+ description: |-
+ Raw body of the HTTP request.
+ Supersedes 'bodyParameters'; use either one or the other.
+ Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
properties:
value:
description: Static value
@@ -728,24 +653,20 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
bodyParameters:
- description: Custom parameters to encode in the body of
- the HTTP request. Superseded by 'body'; use either one
- or the other. Use it with method=POST; for GET requests,
- set parameters as query string in the 'endpoint' (placeholders
- can be used).
+ description: |-
+ Custom parameters to encode in the body of the HTTP request.
+ Superseded by 'body'; use either one or the other.
+ Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
items:
properties:
name:
@@ -758,16 +679,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -776,20 +693,17 @@ spec:
type: array
contentType:
default: application/x-www-form-urlencoded
- description: Content-Type of the request body. Shapes how
- 'bodyParameters' are encoded. Use it with method=POST;
- for GET requests, Content-Type is automatically set to
- 'text/plain'.
+ description: |-
+ Content-Type of the request body. Shapes how 'bodyParameters' are encoded.
+ Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'.
enum:
- application/x-www-form-urlencoded
- application/json
type: string
credentials:
- description: Defines where client credentials will be passed
- in the request to the service. If omitted, it defaults
- to client credentials passed in the HTTP Authorization
- header and the "Bearer" prefix expected prepended to the
- secret value.
+ description: |-
+ Defines where client credentials will be passed in the request to the service.
+ If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value.
properties:
in:
default: authorization_header
@@ -803,23 +717,20 @@ spec:
- cookie
type: string
keySelector:
- description: Used in conjunction with the `in` parameter.
- When used with `authorization_header`, the value is
- the prefix of the client credentials string, separated
- by a white-space, in the HTTP Authorization header
- (e.g. "Bearer", "Basic"). When used with `custom_header`,
- `query` or `cookie`, the value is the name of the
- HTTP header, query string parameter or cookie key,
- respectively.
+ description: |-
+ Used in conjunction with the `in` parameter.
+ When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic").
+ When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively.
type: string
required:
- keySelector
type: object
endpoint:
- description: Endpoint of the HTTP service. The endpoint
- accepts variable placeholders in the format "{selector}",
- where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson
- and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
+ description: |-
+ Endpoint of the HTTP service.
+ The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported
+ by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.
+ E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
type: string
headers:
description: Custom headers in the HTTP request.
@@ -835,16 +746,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -853,10 +760,9 @@ spec:
type: array
method:
default: GET
- description: 'HTTP verb used in the request to the service.
- Accepted values: GET (default), POST. When the request
- method is POST, the authorization JSON is passed in the
- body of the request.'
+ description: |-
+ HTTP verb used in the request to the service. Accepted values: GET (default), POST.
+ When the request method is POST, the authorization JSON is passed in the body of the request.
enum:
- GET
- POST
@@ -867,9 +773,9 @@ spec:
properties:
cache:
default: true
- description: Caches and reuses the token until expired.
- Set it to false to force fetch the token at every
- authorization request regardless of expiration.
+ description: |-
+ Caches and reuses the token until expired.
+ Set it to false to force fetch the token at every authorization request regardless of expiration.
type: boolean
clientId:
description: OAuth2 Client ID.
@@ -912,10 +818,10 @@ spec:
- tokenUrl
type: object
sharedSecretRef:
- description: Reference to a Secret key whose value will
- be passed by Authorino in the request. The HTTP service
- can use the shared secret to authenticate the origin of
- the request. Ignored if used together with oauth2.
+ description: |-
+ Reference to a Secret key whose value will be passed by Authorino in the request.
+ The HTTP service can use the shared secret to authenticate the origin of the request.
+ Ignored if used together with oauth2.
properties:
key:
description: The key of the secret to select from. Must
@@ -938,20 +844,21 @@ spec:
observability metrics
type: boolean
name:
- description: Name of the callback. It can be used to refer to
- the resolved callback response in other configs.
+ description: |-
+ Name of the callback.
+ It can be used to refer to the resolved callback response in other configs.
type: string
priority:
default: 0
- description: Priority group of the config. All configs in the
- same priority group are evaluated concurrently; consecutive
- priority groups are evaluated sequentially.
+ description: |-
+ Priority group of the config.
+ All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
type: integer
when:
- description: Conditions for Authorino to perform this callback.
+ description: |-
+ Conditions for Authorino to perform this callback.
If omitted, the callback will be attempted for all requests.
- If present, all conditions must match for the callback to
- be attempted; otherwise, the callback will be skipped.
+ If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped.
items:
properties:
all:
@@ -969,11 +876,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to the
- content fetched from the authorization JSON, for comparison
- with "value". Possible values are: "eq" (equal to),
- "neq" (not equal to), "incl" (includes; for arrays),
- "excl" (excludes; for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -985,16 +890,14 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization JSON.
- If used with the "matches" operator, the value must
- compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -1021,15 +924,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -1055,15 +955,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -1080,15 +977,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -1107,15 +1001,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -1141,15 +1032,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -1166,37 +1054,32 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
type: object
type: object
hosts:
- description: The list of public host names of the services protected
- by this authentication/authorization scheme. Authorino uses the
- requested host to lookup for the corresponding authentication/authorization
- configs to enforce.
+ description: |-
+ The list of public host names of the services protected by this authentication/authorization scheme.
+ Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce.
items:
type: string
type: array
identity:
- description: List of identity sources/authentication modes. At least
- one config of this list MUST evaluate to a valid identity for a
- request to be successful in the identity verification phase.
+ description: |-
+ List of identity sources/authentication modes.
+ At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase.
items:
- description: 'The identity source/authentication mode config. Apart
- from "name", one of the following parameters is required and only
- one of the following parameters is allowed: "oicd", "apiKey" or
- "kubernetes".'
+ description: |-
+ The identity source/authentication mode config.
+ Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes".
properties:
anonymous:
type: object
@@ -1204,10 +1087,9 @@ spec:
properties:
allNamespaces:
default: false
- description: Whether Authorino should look for API key secrets
- in all namespaces or only in the same namespace as the
- AuthConfig. Enabling this option in namespaced Authorino
- instances has no effect.
+ description: |-
+ Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig.
+ Enabling this option in namespaced Authorino instances has no effect.
type: boolean
selector:
description: Label selector used by Authorino to match secrets
@@ -1218,8 +1100,8 @@ spec:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -1227,17 +1109,16 @@ spec:
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In,
- NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists
- or DoesNotExist, the values array must be empty.
- This array is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1249,25 +1130,25 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field
- is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
+ x-kubernetes-map-type: atomic
required:
- selector
type: object
cache:
- description: Caching options for the identity resolved when
- applying this config. Omit it to avoid caching identity objects
- for this config.
+ description: |-
+ Caching options for the identity resolved when applying this config.
+ Omit it to avoid caching identity objects for this config.
properties:
key:
- description: Key used to store the entry in the cache. Cache
- entries from different metadata configs are stored and
- managed separately regardless of the key.
+ description: |-
+ Key used to store the entry in the cache.
+ Cache entries from different metadata configs are stored and managed separately regardless of the key.
properties:
value:
description: Static value
@@ -1276,15 +1157,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -1297,11 +1175,9 @@ spec:
- key
type: object
credentials:
- description: Defines where client credentials are required to
- be passed in the request for this identity source/authentication
- mode. If omitted, it defaults to client credentials passed
- in the HTTP Authorization header and the "Bearer" prefix expected
- prepended to the credentials value (token, API key, etc).
+ description: |-
+ Defines where client credentials are required to be passed in the request for this identity source/authentication mode.
+ If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc).
properties:
in:
default: authorization_header
@@ -1315,23 +1191,18 @@ spec:
- cookie
type: string
keySelector:
- description: Used in conjunction with the `in` parameter.
- When used with `authorization_header`, the value is the
- prefix of the client credentials string, separated by
- a white-space, in the HTTP Authorization header (e.g.
- "Bearer", "Basic"). When used with `custom_header`, `query`
- or `cookie`, the value is the name of the HTTP header,
- query string parameter or cookie key, respectively.
+ description: |-
+ Used in conjunction with the `in` parameter.
+ When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic").
+ When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively.
type: string
required:
- keySelector
type: object
extendedProperties:
- description: Extends the resolved identity object with additional
- custom properties before appending to the authorization JSON.
- It requires the resolved identity object to always be of the
- JSON type 'object'. Other JSON types (array, string, etc)
- will break.
+ description: |-
+ Extends the resolved identity object with additional custom properties before appending to the authorization JSON.
+ It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break.
items:
properties:
name:
@@ -1349,15 +1220,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -1367,11 +1235,9 @@ spec:
kubernetes:
properties:
audiences:
- description: The list of audiences (scopes) that must be
- claimed in a Kubernetes authentication token supplied
- in the request, and reviewed by Authorino. If omitted,
- Authorino will review tokens expecting the host name of
- the requested protected service amongst the audiences.
+ description: |-
+ The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino.
+ If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences.
items:
type: string
type: array
@@ -1385,10 +1251,9 @@ spec:
properties:
allNamespaces:
default: false
- description: Whether Authorino should look for TLS secrets
- in all namespaces or only in the same namespace as the
- AuthConfig. Enabling this option in namespaced Authorino
- instances has no effect.
+ description: |-
+ Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig.
+ Enabling this option in namespaced Authorino instances has no effect.
type: boolean
selector:
description: Label selector used by Authorino to match secrets
@@ -1399,8 +1264,8 @@ spec:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a selector
- that contains values, a key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -1408,17 +1273,16 @@ spec:
applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are In,
- NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string values.
- If the operator is In or NotIn, the values array
- must be non-empty. If the operator is Exists
- or DoesNotExist, the values array must be empty.
- This array is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
@@ -1430,21 +1294,21 @@ spec:
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value} pairs.
- A single {key,value} in the matchLabels map is equivalent
- to an element of matchExpressions, whose key field
- is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
+ x-kubernetes-map-type: atomic
required:
- selector
type: object
name:
- description: The name of this identity source/authentication
- mode. It usually identifies a source of identities or group
- of users/clients of the protected service. It can be used
- to refer to the resolved identity object in other configs.
+ description: |-
+ The name of this identity source/authentication mode.
+ It usually identifies a source of identities or group of users/clients of the protected service.
+ It can be used to refer to the resolved identity object in other configs.
type: string
oauth2:
properties:
@@ -1454,15 +1318,19 @@ spec:
server.
properties:
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
+ x-kubernetes-map-type: atomic
tokenIntrospectionUrl:
description: The full URL of the token introspection endpoint.
type: string
tokenTypeHint:
- description: The token type hint for the token introspection.
+ description: |-
+ The token type hint for the token introspection.
If omitted, it defaults to "access_token".
type: string
required:
@@ -1472,14 +1340,10 @@ spec:
oidc:
properties:
endpoint:
- description: Endpoint of the OIDC issuer. Authorino will
- append to this value the well-known path to the OpenID
- Connect discovery endpoint (i.e. "/.well-known/openid-configuration"),
- used to automatically discover the OpenID Connect configuration,
- whose set of claims is expected to include (among others)
- the "jkws_uri" claim. The value must coincide with the
- value of the "iss" (issuer) claim of the discovered OpenID
- Connect configuration.
+ description: |-
+ Endpoint of the OIDC issuer.
+ Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim.
+ The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration.
type: string
ttl:
description: Decides how long to wait before refreshing
@@ -1491,28 +1355,25 @@ spec:
plain:
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the authorization
- JSON (e.g. ''context.request.http.host'') or a string
- template with variable placeholders that resolve to patterns
- (e.g. "Hello, {auth.identity.name}!"). Any patterns supported
- by https://pkg.go.dev/github.com/tidwall/gjson can be
- used. The following string modifiers are available: @extract:{sep:"
- ",pos:0}, @replace{old:"",new:""}, @case:upper|lower,
- @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
priority:
default: 0
- description: Priority group of the config. All configs in the
- same priority group are evaluated concurrently; consecutive
- priority groups are evaluated sequentially.
+ description: |-
+ Priority group of the config.
+ All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
type: integer
when:
- description: Conditions for Authorino to enforce this identity
- config. If omitted, the config will be enforced for all requests.
- If present, all conditions must match for the config to be
- enforced; otherwise, the config will be skipped.
+ description: |-
+ Conditions for Authorino to enforce this identity config.
+ If omitted, the config will be enforced for all requests.
+ If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
items:
properties:
all:
@@ -1530,11 +1391,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to the
- content fetched from the authorization JSON, for comparison
- with "value". Possible values are: "eq" (equal to),
- "neq" (not equal to), "incl" (includes; for arrays),
- "excl" (excludes; for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -1546,16 +1405,14 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization JSON.
- If used with the "matches" operator, the value must
- compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -1564,22 +1421,23 @@ spec:
type: object
type: array
metadata:
- description: List of metadata source configs. Authorino fetches JSON
- content from sources on this list on every request.
+ description: |-
+ List of metadata source configs.
+ Authorino fetches JSON content from sources on this list on every request.
items:
- description: 'The metadata config. Apart from "name", one of the
- following parameters is required and only one of the following
- parameters is allowed: "http", userInfo" or "uma".'
+ description: |-
+ The metadata config.
+ Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma".
properties:
cache:
- description: Caching options for the external metadata fetched
- when applying this config. Omit it to avoid caching metadata
- from this source.
+ description: |-
+ Caching options for the external metadata fetched when applying this config.
+ Omit it to avoid caching metadata from this source.
properties:
key:
- description: Key used to store the entry in the cache. Cache
- entries from different metadata configs are stored and
- managed separately regardless of the key.
+ description: |-
+ Key used to store the entry in the cache.
+ Cache entries from different metadata configs are stored and managed separately regardless of the key.
properties:
value:
description: Static value
@@ -1588,15 +1446,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -1613,10 +1468,10 @@ spec:
metadata from a HTTP service.
properties:
body:
- description: Raw body of the HTTP request. Supersedes 'bodyParameters';
- use either one or the other. Use it with method=POST;
- for GET requests, set parameters as query string in the
- 'endpoint' (placeholders can be used).
+ description: |-
+ Raw body of the HTTP request.
+ Supersedes 'bodyParameters'; use either one or the other.
+ Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
properties:
value:
description: Static value
@@ -1625,24 +1480,20 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
bodyParameters:
- description: Custom parameters to encode in the body of
- the HTTP request. Superseded by 'body'; use either one
- or the other. Use it with method=POST; for GET requests,
- set parameters as query string in the 'endpoint' (placeholders
- can be used).
+ description: |-
+ Custom parameters to encode in the body of the HTTP request.
+ Superseded by 'body'; use either one or the other.
+ Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used).
items:
properties:
name:
@@ -1655,16 +1506,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -1673,20 +1520,17 @@ spec:
type: array
contentType:
default: application/x-www-form-urlencoded
- description: Content-Type of the request body. Shapes how
- 'bodyParameters' are encoded. Use it with method=POST;
- for GET requests, Content-Type is automatically set to
- 'text/plain'.
+ description: |-
+ Content-Type of the request body. Shapes how 'bodyParameters' are encoded.
+ Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'.
enum:
- application/x-www-form-urlencoded
- application/json
type: string
credentials:
- description: Defines where client credentials will be passed
- in the request to the service. If omitted, it defaults
- to client credentials passed in the HTTP Authorization
- header and the "Bearer" prefix expected prepended to the
- secret value.
+ description: |-
+ Defines where client credentials will be passed in the request to the service.
+ If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value.
properties:
in:
default: authorization_header
@@ -1700,23 +1544,20 @@ spec:
- cookie
type: string
keySelector:
- description: Used in conjunction with the `in` parameter.
- When used with `authorization_header`, the value is
- the prefix of the client credentials string, separated
- by a white-space, in the HTTP Authorization header
- (e.g. "Bearer", "Basic"). When used with `custom_header`,
- `query` or `cookie`, the value is the name of the
- HTTP header, query string parameter or cookie key,
- respectively.
+ description: |-
+ Used in conjunction with the `in` parameter.
+ When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic").
+ When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively.
type: string
required:
- keySelector
type: object
endpoint:
- description: Endpoint of the HTTP service. The endpoint
- accepts variable placeholders in the format "{selector}",
- where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson
- and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
+ description: |-
+ Endpoint of the HTTP service.
+ The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported
+ by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON.
+ E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
type: string
headers:
description: Custom headers in the HTTP request.
@@ -1732,16 +1573,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -1750,10 +1587,9 @@ spec:
type: array
method:
default: GET
- description: 'HTTP verb used in the request to the service.
- Accepted values: GET (default), POST. When the request
- method is POST, the authorization JSON is passed in the
- body of the request.'
+ description: |-
+ HTTP verb used in the request to the service. Accepted values: GET (default), POST.
+ When the request method is POST, the authorization JSON is passed in the body of the request.
enum:
- GET
- POST
@@ -1764,9 +1600,9 @@ spec:
properties:
cache:
default: true
- description: Caches and reuses the token until expired.
- Set it to false to force fetch the token at every
- authorization request regardless of expiration.
+ description: |-
+ Caches and reuses the token until expired.
+ Set it to false to force fetch the token at every authorization request regardless of expiration.
type: boolean
clientId:
description: OAuth2 Client ID.
@@ -1809,10 +1645,10 @@ spec:
- tokenUrl
type: object
sharedSecretRef:
- description: Reference to a Secret key whose value will
- be passed by Authorino in the request. The HTTP service
- can use the shared secret to authenticate the origin of
- the request. Ignored if used together with oauth2.
+ description: |-
+ Reference to a Secret key whose value will be passed by Authorino in the request.
+ The HTTP service can use the shared secret to authenticate the origin of the request.
+ Ignored if used together with oauth2.
properties:
key:
description: The key of the secret to select from. Must
@@ -1835,14 +1671,15 @@ spec:
observability metrics
type: boolean
name:
- description: The name of the metadata source. It can be used
- to refer to the resolved metadata object in other configs.
+ description: |-
+ The name of the metadata source.
+ It can be used to refer to the resolved metadata object in other configs.
type: string
priority:
default: 0
- description: Priority group of the config. All configs in the
- same priority group are evaluated concurrently; consecutive
- priority groups are evaluated sequentially.
+ description: |-
+ Priority group of the config.
+ All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
type: integer
uma:
description: User-Managed Access (UMA) source of resource data.
@@ -1853,14 +1690,17 @@ spec:
registration API of the UMA server.
properties:
name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: |-
+ Name of the referent.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
+ x-kubernetes-map-type: atomic
endpoint:
- description: The endpoint of the UMA server. The value must
- coincide with the "issuer" claim of the UMA config discovered
- from the well-known uma configuration endpoint.
+ description: |-
+ The endpoint of the UMA server.
+ The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint.
type: string
required:
- credentialsRef
@@ -1879,10 +1719,10 @@ spec:
- identitySource
type: object
when:
- description: Conditions for Authorino to apply this metadata
- config. If omitted, the config will be applied for all requests.
- If present, all conditions must match for the config to be
- applied; otherwise, the config will be skipped.
+ description: |-
+ Conditions for Authorino to apply this metadata config.
+ If omitted, the config will be applied for all requests.
+ If present, all conditions must match for the config to be applied; otherwise, the config will be skipped.
items:
properties:
all:
@@ -1900,11 +1740,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to the
- content fetched from the authorization JSON, for comparison
- with "value". Possible values are: "eq" (equal to),
- "neq" (not equal to), "incl" (includes; for arrays),
- "excl" (excludes; for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -1916,16 +1754,14 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization JSON.
- If used with the "matches" operator, the value must
- compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -1938,11 +1774,9 @@ spec:
items:
properties:
operator:
- description: 'The binary operator to be applied to the content
- fetched from the authorization JSON, for comparison with
- "value". Possible values are: "eq" (equal to), "neq" (not
- equal to), "incl" (includes; for arrays), "excl" (excludes;
- for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -1951,16 +1785,14 @@ spec:
- matches
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison with
- the content fetched from the authorization JSON. If used
- with the "matches" operator, the value must compile to a
- valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
@@ -1968,22 +1800,23 @@ spec:
conditionals and in JSON-pattern matching policy rules.
type: object
response:
- description: List of response configs. Authorino gathers data from
- the auth pipeline to build custom responses for the client.
+ description: |-
+ List of response configs.
+ Authorino gathers data from the auth pipeline to build custom responses for the client.
items:
- description: 'Dynamic response to return to the client. Apart from
- "name", one of the following parameters is required and only one
- of the following parameters is allowed: "wristband" or "json".'
+ description: |-
+ Dynamic response to return to the client.
+ Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json".
properties:
cache:
- description: Caching options for dynamic responses built when
- applying this config. Omit it to avoid caching dynamic responses
- for this config.
+ description: |-
+ Caching options for dynamic responses built when applying this config.
+ Omit it to avoid caching dynamic responses for this config.
properties:
key:
- description: Key used to store the entry in the cache. Cache
- entries from different metadata configs are stored and
- managed separately regardless of the key.
+ description: |-
+ Key used to store the entry in the cache.
+ Cache entries from different metadata configs are stored and managed separately regardless of the key.
properties:
value:
description: Static value
@@ -1992,15 +1825,12 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are
- available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
@@ -2029,16 +1859,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -2054,8 +1880,9 @@ spec:
observability metrics
type: boolean
name:
- description: Name of the custom response. It can be used to
- refer to the resolved response object in other configs.
+ description: |-
+ Name of the custom response.
+ It can be used to refer to the resolved response object in other configs.
type: string
plain:
description: StaticOrDynamicValue is either a constant static
@@ -2069,29 +1896,26 @@ spec:
description: Dynamic value
properties:
authJSON:
- description: 'Selector to fetch a value from the authorization
- JSON. It can be any path pattern to fetch from the
- authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders that
- resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers are available:
- @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
type: object
priority:
default: 0
- description: Priority group of the config. All configs in the
- same priority group are evaluated concurrently; consecutive
- priority groups are evaluated sequentially.
+ description: |-
+ Priority group of the config.
+ All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially.
type: integer
when:
- description: Conditions for Authorino to enforce this custom
- response config. If omitted, the config will be enforced for
- all requests. If present, all conditions must match for the
- config to be enforced; otherwise, the config will be skipped.
+ description: |-
+ Conditions for Authorino to enforce this custom response config.
+ If omitted, the config will be enforced for all requests.
+ If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped.
items:
properties:
all:
@@ -2109,11 +1933,9 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
operator:
- description: 'The binary operator to be applied to the
- content fetched from the authorization JSON, for comparison
- with "value". Possible values are: "eq" (equal to),
- "neq" (not equal to), "incl" (includes; for arrays),
- "excl" (excludes; for arrays), "matches" (regex)'
+ description: |-
+ The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value".
+ Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)
enum:
- eq
- neq
@@ -2125,32 +1947,30 @@ spec:
description: Name of a named pattern
type: string
selector:
- description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
- The value is used to fetch content from the input authorization
- JSON built by Authorino along the identity and metadata
- phases.
+ description: |-
+ Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+ The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases.
type: string
value:
- description: The value of reference for the comparison
- with the content fetched from the authorization JSON.
- If used with the "matches" operator, the value must
- compile to a valid Golang regex.
+ description: |-
+ The value of reference for the comparison with the content fetched from the authorization JSON.
+ If used with the "matches" operator, the value must compile to a valid Golang regex.
type: string
type: object
type: array
wrapper:
default: httpHeader
- description: How Authorino wraps the response. Use "httpHeader"
- (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata"
- to wrap the response as Envoy Dynamic Metadata
+ description: |-
+ How Authorino wraps the response.
+ Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata
enum:
- httpHeader
- envoyDynamicMetadata
type: string
wrapperKey:
- description: The name of key used in the wrapped response (name
- of the HTTP header or property of the Envoy Dynamic Metadata
- JSON). If omitted, it will be set to the name of the configuration.
+ description: |-
+ The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON).
+ If omitted, it will be set to the name of the configuration.
type: string
wristband:
properties:
@@ -2170,16 +1990,12 @@ spec:
description: Dynamic value of the JSON property
properties:
authJSON:
- description: 'Selector to fetch a value from the
- authorization JSON. It can be any path pattern
- to fetch from the authorization JSON (e.g. ''context.request.http.host'')
- or a string template with variable placeholders
- that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
- Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
- can be used. The following string modifiers
- are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
- @case:upper|lower, @base64:encode|decode and
- @strip.'
+ description: |-
+ Selector to fetch a value from the authorization JSON.
+ It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host')
+ or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!").
+ Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used.
+ The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.
type: string
type: object
required:
@@ -2192,10 +2008,9 @@ spec:
where = / = / = /
- ManagedZone
+ TLSPolicy
@@ -601,91 +601,6 @@
-
- ManagedZone
-
-
Once we enqueue the DNS record, controller will compile a list of changes to the DNS provider and will apply it. After this, the record is enqueued with the validationRequeueTime and the Ready condition will be marked as false with a message Awaiting Validation. When the record is received again and the controller ensures there are no changes needed (the ones applied are present in the DNS Provider) it sets the Ready condition to true and enqueues it with the defaultRequeueTime.
-
At any time when the record is requeued we also set the record.Status.QueuedFor field with a timestamp for when we expect to receive the record again. And on every reconciliation we set the record.Status.QueuedAt to be the time of the reconciliation.
Upon deletion, the process will be similar. The controller will determine the changes needed to the DNS provider and will apply them. The record will be requeued with the validationRequeueTime. Once we receive it back and ensure that there are no changes needed for the DNS provider we remove the finalizer from the record.
The validationRequeueTime duration is randomized +/- 50%.
It is recommended that you create the secret in the same namespace as your ManagedZones. In the examples above, we've stored these in a namespace called kuadrant-dns-system.
-
Now that we have the credential created we have a DNS provider ready to go and can start using it.
The DNS Operator is a kubernetes based controller responsible for reconciling DNS Record and Managed Zone custom resources. It interfaces with cloud DNS providers such as AWS and Google to bring the DNS zone into the state declared in these CRDs.
+
+
The DNS Operator is a kubernetes based controller responsible for reconciling DNS Record custom resources. It interfaces with cloud DNS providers such as AWS and Google to bring the DNS zone into the state declared in these CRDs.
One of the key use cases the DNS operator solves, is allowing complex DNS routing strategies such as Geo and Weighted to be expressed allowing you to leverage DNS as the first layer of traffic management. In order to make these strategies valuable, it also works across multiple clusters allowing you to use a shared domain name balance traffic based on your requirements.
NOTE: You can optionally skip this step but at least one ManagedZone will need to be configured and have valid credentials linked to use the DNS Operator.
+
NOTE: You can optionally skip this step but at least one DNS Provider Secret will need to be configured with valid credentials to use the DNS Operator.
The e2e test suite can be executed against any cluster running the DNS Operator with configuration added for any supported provider.
-
make test-e2e TEST_DNS_MANAGED_ZONE_NAME=<My managed zone name> TEST_DNS_ZONE_DOMAIN_NAME=<My domain name> TEST_DNS_NAMESPACE=<My test namesapace> TEST_DNS_PROVIDER=<aws|gcp>
+
make test-e2e TEST_DNS_ZONE_DOMAIN_NAME=<My domain name> TEST_DNS_PROVIDER_SECRET_NAME=<My provider secret name> TEST_DNS_NAMESPACES=<My test namespace(s)>
logger.Info() describe a high-level state of the resource such as creation, deletion and which reconciliation path was taken.
+
logger.Error() describe only those errors that are not returned in the result of the reconciliation. If error is occurred there should be only one error message.
+
logger.V(1).Info() debug level logs to give information about every change or event caused by the resource as well as every update of the resource.
+
+
The --zap-devel argument will enable debug level logs for the output. Otherwise, all V() logs are ignored.
kubectllogs-lcontrol-plane=dns-operator-controller-manager-ndns-operator-system--tail-1|sed'/^{/!d'|jq'select(.controller=="dnsrecord" and .level=="info")'
+
+or
+
kubectllogs-lcontrol-plane=dns-operator-controller-manager-ndns-operator-system--tail-1|sed'/^{/!d'|jq'select(.controller=="dnsrecord" and .DNSRecord.name=="test" and .reconcileID=="2be16b6d-b90f-430e-9996-8b5ec4855d53")'|jq'.level, .msg, .zoneEndpoints, .specEndpoints, .statusEndpoints '
+
+You could use selector in the jq with and/not/or to restrict.
Export environment variables with the keys listed below for your desired provider. Fill in your own values as appropriate. Note that you will need to have created a root domain in AWS Route 53 or in GCP Cloud DNS:
kind:Gatewayname:mygateway
-# (optional) routing strategy to use when creating DNS records, defaults to `loadbalanced`
-# determines what DNS records are created in the DNS provider
-# check out Kuadrant RFC 0005 https://github.com/Kuadrant/architecture/blob/main/rfcs/0005-single-cluster-dnspolicy.md to learn more about the Routing Strategy field
-# One-of: simple, loadbalanced.
-routingStrategy:loadbalanced
+# reference to an existing secret resource containing provider credentials and configuration
+# it can only refer to Secrets in the same namespace as the DNSPolicy that have the type kuadrant.io/(provider) e.g kuadrant.io/aws
+providerRefs:
+
+-name:my-aws-credentials
-# (optional) loadbalancing specification
-# use it for providing the specification of how dns will be configured in order to provide balancing of load across multiple clusters when using the `loadbalanced` routing strategy
-# Primary use of this is for multi cluster deployments
-# check out Kuadrant RFC 0003 https://github.com/Kuadrant/architecture/blob/main/rfcs/0003-dns-policy.md to learn more about the options that can be used in this field
-loadBalancing:
-# (optional) weighted specification
-# use it to control the weight value applied to records
-weighted:
-# use it to change the weight of a record based on labels applied to the target meta resource i.e. Gateway in a single cluster context or ManagedCluster in multi cluster with OCM
-custom:
-
--weight:200
-selector:
-matchLabels:
-kuadrant.io/lb-attribute-custom-weight:AWS
-# (optional) weight value that will be applied to weighted dns records by default. Integer greater than 0 and no larger than the maximum value accepted by the target dns provider, defaults to `120`
-defaultWeight:100
-# (optional) geo specification
-# use it to control the geo value applied to records
-geo:
-# (optional) default geo to be applied to records
-defaultGeo:IE
-
-# (optional) health check specification
-# health check probes with the following specification will be created for each DNS target
-healthCheck:
-allowInsecureCertificates:true
-endpoint:/
-expectedResponses:
-
--200
--201
--301
-failureThreshold:5
-port:443
-protocol:https
+# (optional) routing strategy to use when creating DNS records, defaults to `loadbalanced`
+# determines what DNS records are created in the DNS provider
+# check out Kuadrant RFC 0005 https://github.com/Kuadrant/architecture/blob/main/rfcs/0005-single-cluster-dnspolicy.md to learn more about the Routing Strategy field
+# One-of: simple, loadbalanced.
+routingStrategy:loadbalanced
+
+# (optional) loadbalancing specification
+# use it for providing the specification of how dns will be configured in order to provide balancing of load across multiple clusters when using the `loadbalanced` routing strategy
+# Primary use of this is for multi cluster deployments
+# check out Kuadrant RFC 0003 https://github.com/Kuadrant/architecture/blob/main/rfcs/0003-dns-policy.md to learn more about the options that can be used in this field
+loadBalancing:
+# (optional) weighted specification
+# use it to control the weight value applied to records
+weighted:
+# use it to change the weight of a record based on labels applied to the target meta resource i.e. Gateway in a single cluster context or ManagedCluster in multi cluster with OCM
+custom:
+
+-weight:200
+selector:
+matchLabels:
+kuadrant.io/lb-attribute-custom-weight:AWS
+# (optional) weight value that will be applied to weighted dns records by default. Integer greater than 0 and no larger than the maximum value accepted by the target dns provider, defaults to `120`
+defaultWeight:100
+# (optional) geo specification
+# use it to control the geo value applied to records
+geo:
+# (optional) default geo to be applied to records
+defaultGeo:IE
+
+# (optional) health check specification
+# health check probes with the following specification will be created for each DNS target
+healthCheck:
+allowInsecureCertificates:true
+endpoint:/
+expectedResponses:
+
+-200
+-201
+-301
+failureThreshold:5
+port:443
+protocol:https
Check out the API reference for a full specification of the DNSPolicy CRD.
A DNSPolicy acts against a target Gateway by processing its listeners for hostnames that it can create dns records for.
-In order for it to do this, it must know about dns providers, and what domains these dns providers are currently hosting.
-This is done through the creation of ManagedZones and dns provider secrets containing the credentials for the dns provider account.
+In order for it to do this, it must know about the dns provider.
+This is done through the creation of dns provider secrets containing the credentials and configuration for the dns provider account.
If for example a Gateway is created with a listener with a hostname of echo.apps.hcpapps.net:
By default, Kuadrant will list the available zones and find the matching zone based on the listener host in the gateway listener. If it finds more than one matching zone for a given listener host, it will not update any of those zones.
+When providing a credential you should limit that credential down to just have write access to the zones you want Kuadrant to manage. Below is an example of a an AWS policy for doing this type of thing:
The DNSPolicy will create a DNSRecord resource for each listener hostname with a suitable ManagedZone configured. The DNSPolicy resource uses the status of the Gateway to determine what dns records need to be created based on the clusters it has been placed onto.
+
The DNSPolicy will create a DNSRecord resource for each listener hostname. The DNSPolicy resource uses the status of the Gateway to determine what dns records need to be created based on the clusters it has been placed onto.
-
- Note on Limitador
-The Kuadrant operator creates a Limitador CR named `limitador` in the same namespace as the Kuadrant CR. If there is a pre-existing Limitador CR of the same name the kuadrant operator will take ownership of that Limitador CR.
-
-
An eviction is allowed if at most "maxUnavailable" limitador pods are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
-
-
-
minAvailable
-
Number
-
No
-
An eviction is allowed if at least "minAvailable" limitador pods will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".
Apply the following ManagedZone resource and AWS credentials to each cluster. Alternatively, if you are adding an additional cluster, add it to the new cluster:
The DNS provider declares a credential to access the zone(s) that Kuadrant can use to set up DNS configuration. You should ensure that this credential only has access to the zones you want managed.
To secure communication to the Gateways, you will define a TLS issuer for TLS certificates. This example uses Let's Encrypt, but you can use any issuer supported by cert-manager.
The following example uses Let's Encrypt staging, which you must also apply to all clusters:
For Kuadrant to balance traffic using DNS across two or more clusters, you must define a Gateway with a shared host. You will define this by using an HTTPS listener with a wildcard hostname based on the root domain. As mentioned earlier, you must apply these resources to all clusters.
NOTE: For now, the Gateway is set to accept an HTTPRoute from the same namespace only. This allows you to restrict who can use the Gateway until it is ready for general use.
Your Gateway should be accepted and programmed (valid and assigned an external address). However, if you check your listener status as follows, you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration:
Step 7 - Opening up the Gateway for other namespaces¶
Because you have configured the Gateway, secured it with Kuadrant policies, and tested it, you can now open it up for use by other teams in other namespaces:
Step 8 - Extending this Gateway to multiple clusters and configuring geo-based routing¶
To distribute this Gateway across multiple clusters, repeat this setup process for each cluster. By default, this will implement a round-robin DNS strategy to distribute traffic evenly across the different clusters. Setting up your Gateways to serve clients based on their geographic location is straightforward with your current configuration.
Assuming that you have deployed Gateway instances across multiple clusters as per this guide, the next step involves updating the DNS controller with the geographic regions of the visible Gateways.
For instance, if you have one cluster in North America and another in the EU, you can direct traffic to these Gateways based on their location by applying the appropriate labels:
For your North American cluster, enter the following command:
This section of the walkthrough focuses on using an OpenAPI Specification (OAS) to define an API. You will use Kuadrant OAS extensions to specify the routing, authentication, and rate limiting requirements. Next, you will use the kuadrantctl tool to generate an AuthPolicy, an HTTPRoute, and a RateLimitPolicy, which you will then apply to your cluster to enforce the settings defined in your OAS.
Copy at least one of the following example OAS to a local location:
@@ -4985,10 +4355,10 @@
Step 2 - Set up HTTPRoute and backe
Set up some new environment variables as follows:
-
exportoasPath=examples/oas-apikey.yaml
-# Ensure you still have these environment variables setup from the start of this guide:
-exportrootDomain=example.com
-exportgatewayNS=api-gateway
+