From 0947c36c22e7fa4e4a109ac99c9571d6cd8a32fe Mon Sep 17 00:00:00 2001 From: jjaferson Date: Tue, 16 Nov 2021 16:11:33 +0000 Subject: [PATCH] Creates manifest file for installation of the operator * Installs authorino CRDs and Clusterroles via manifest --- .github/workflows/build-latest.yaml | 36 + Makefile | 31 +- api/v1beta1/authorino_types.go | 2 + .../crd/authorino.3scale.net_authconfigs.yaml | 1040 ----------------- config/authorino/crd/kustomization.yaml | 24 - config/authorino/crd/kustomizeconfig.yaml | 17 - .../patches/cainjection_in_authconfigs.yaml | 8 - .../crd/patches/oneof_in_authconfigs.yaml | 57 - .../crd/patches/webhook_in_authconfigs.yaml | 17 - config/authorino/kustomization.yaml | 12 - .../rbac/authconfig_editor_role.yaml | 23 - .../rbac/authconfig_viewer_role.yaml | 20 - config/authorino/rbac/kustomization.yaml | 7 - config/authorino/rbac/role.yaml | 57 - config/install/kustomization.yaml | 10 + config/install/manifests.yaml | 430 +++++++ config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 1 - controllers/authorino_controller.go | 4 + 19 files changed, 500 insertions(+), 1298 deletions(-) create mode 100644 .github/workflows/build-latest.yaml delete mode 100644 config/authorino/crd/authorino.3scale.net_authconfigs.yaml delete mode 100644 config/authorino/crd/kustomization.yaml delete mode 100644 config/authorino/crd/kustomizeconfig.yaml delete mode 100644 config/authorino/crd/patches/cainjection_in_authconfigs.yaml delete mode 100644 config/authorino/crd/patches/oneof_in_authconfigs.yaml delete mode 100644 config/authorino/crd/patches/webhook_in_authconfigs.yaml delete mode 100644 config/authorino/kustomization.yaml delete mode 100644 config/authorino/rbac/authconfig_editor_role.yaml delete mode 100644 config/authorino/rbac/authconfig_viewer_role.yaml delete mode 100644 config/authorino/rbac/kustomization.yaml delete mode 100644 config/authorino/rbac/role.yaml create mode 100644 config/install/kustomization.yaml create mode 100644 config/install/manifests.yaml diff --git a/.github/workflows/build-latest.yaml b/.github/workflows/build-latest.yaml new file mode 100644 index 00000000..013097ed --- /dev/null +++ b/.github/workflows/build-latest.yaml @@ -0,0 +1,36 @@ +name: Build and push image +on: + push: + branches: + - 'main' + - 'master' + +jobs: + build: + name: Build and push image + runs-on: ubuntu-20.04 + + steps: + - uses: actions/checkout@v2 + + - name: Build Image + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: authorino-operator + tags: latest ${{ github.sha }} + dockerfiles: | + ./Dockerfile + + - name: Push To quay.io + id: push-to-quay + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: quay.io/3scale + username: 3scale+authorino_github + password: ${{ secrets.REGISTRY_AUTH_TOKEN }} + + - name: Print Image URL + run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" \ No newline at end of file diff --git a/Makefile b/Makefile index 2749e966..d49561de 100644 --- a/Makefile +++ b/Makefile @@ -36,12 +36,16 @@ IMAGE_TAG_BASE ?= authorino.kuadrant.io/authorino-operator BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) # Image URL to use all building/pushing image targets -IMG ?= authorino-operator:latest +DEFAULT_OPERATOR_IMAGE = quay.io/3scale/authorino-operator:latest +OPERATOR_IMAGE ?= $(DEFAULT_OPERATOR_IMAGE) + # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.21 +OPERATOR_MANIFESTS ?= $(PROJECT_DIR)/config/install/manifests.yaml + # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin @@ -75,8 +79,8 @@ help: ## Display this help. ##@ Development -manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases +manifests: controller-gen kustomize ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases && $(KUSTOMIZE) build config/install > $(OPERATOR_MANIFESTS) generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." @@ -99,32 +103,31 @@ run: manifests generate fmt vet ## Run a controller from your host. go run ./main.go docker-build: ## Build docker image with the manager. - docker build -t ${IMG} . + docker build -t ${OPERATOR_IMAGE} . docker-push: ## Push docker image with the manager. - docker push ${IMG} + docker push ${OPERATOR_IMAGE} ##@ Deployment install: manifests kustomize install-authorino ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - + kubectl apply -f $(OPERATOR_MANIFESTS) uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl delete -f - + kubectl delete -f $(OPERATOR_MANIFESTS) deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + cd config/manager && $(KUSTOMIZE) edit set image controller=${OPERATOR_IMAGE} $(KUSTOMIZE) build config/default | kubectl apply -f - + # rollback kustomize edit + cd config/manager && $(KUSTOMIZE) edit set image controller=${DEFAULT_OPERATOR_IMAGE} + undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - -AUTHORINO_VERSION=v0.5.0 install-authorino: kustomize ## install RBAC and CRD for authorino - $(eval TMP := $(shell mktemp -d)) - cd $(TMP); git clone --depth 1 --branch $(AUTHORINO_VERSION) https://github.com/kuadrant/authorino.git - cd $(TMP)/authorino; $(KUSTOMIZE) build install | kubectl apply -f - - -rm -rf $(TMP) + kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino/main/install/manifests.yaml CONTROLLER_GEN = $(shell pwd)/bin/controller-gen controller-gen: ## Download controller-gen locally if necessary. @@ -155,7 +158,7 @@ endef .PHONY: bundle bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. operator-sdk generate kustomize manifests -q - cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) + cd config/manager && $(KUSTOMIZE) edit set image controller=$(OPERATOR_IMAGE) $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) operator-sdk bundle validate ./bundle diff --git a/api/v1beta1/authorino_types.go b/api/v1beta1/authorino_types.go index 29dbde3c..86b4cc85 100644 --- a/api/v1beta1/authorino_types.go +++ b/api/v1beta1/authorino_types.go @@ -47,6 +47,8 @@ const ( DefaultTlsCertKeyPath string = "/etc/ssl/private/tls.key" DefaultOidcTlsCertPath string = "/etc/ssl/certs/oidc.crt" DefaultOidcTlsCertKeyPath string = "/etc/ssl/private/oidc.key" + + AuthorinoVersion string = "latest" ) type Condition struct { diff --git a/config/authorino/crd/authorino.3scale.net_authconfigs.yaml b/config/authorino/crd/authorino.3scale.net_authconfigs.yaml deleted file mode 100644 index a7ed747e..00000000 --- a/config/authorino/crd/authorino.3scale.net_authconfigs.yaml +++ /dev/null @@ -1,1040 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.6.1 - creationTimestamp: null - name: authconfigs.authorino.3scale.net -spec: - group: authorino.3scale.net - names: - kind: AuthConfig - listKind: AuthConfigList - plural: authconfigs - singular: authconfig - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Ready? - jsonPath: .status.ready - name: Ready - type: boolean - - description: Number of trusted identity sources - jsonPath: .status.numIdentitySources - name: Id sources - priority: 2 - type: integer - - description: Number of external metadata sources - jsonPath: .status.numMetadataSources - name: Metadata sources - priority: 2 - type: integer - - description: Number of authorization policies - jsonPath: .status.numAuthorizationPolicies - name: Authz policies - priority: 2 - type: integer - - description: Number of items added to the client response - jsonPath: .status.numResponseItems - name: Response items - priority: 2 - type: integer - - description: Whether issuing Festival Wristbands - jsonPath: .status.festivalWristbandEnabled - name: Wristband - priority: 2 - type: boolean - name: v1beta1 - schema: - openAPIV3Schema: - description: AuthConfig is the schema for Authorino's AuthConfig API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specifies the desired state of the AuthConfig resource, i.e. - the authencation/authorization scheme to be applied to protect the matching - service hosts. - properties: - authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. - items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' - properties: - json: - description: JSON pattern matching authorization policy. - properties: - conditions: - description: Conditions that must match for Authorino to - enforce this policy; otherwise, the policy will be skipped. - items: - properties: - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - policy. If used with the "matches" operator, the - value must compile to a valid Golang regex. - type: string - required: - - operator - - selector - - value - type: object - type: array - rules: - description: The rules that must all evaluate to "true" - for the request to be authorized. - items: - properties: - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - policy. If used with the "matches" operator, the - value must compile to a valid Golang regex. - type: string - required: - - operator - - selector - - value - type: object - type: array - type: object - kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` - Path and Verb are inferred from the request. - properties: - conditions: - description: Conditions that must match for Authorino to - enforce this policy; otherwise, the policy will be skipped. - items: - properties: - operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' - enum: - - eq - - neq - - incl - - excl - - matches - type: string - selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. - type: string - value: - description: The value of reference for the comparison - with the content fetched from the authorization - policy. If used with the "matches" operator, the - value must compile to a valid Golang regex. - type: string - required: - - operator - - selector - - value - type: object - type: array - groups: - description: Groups to test for. - items: - type: string - type: array - resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. - properties: - group: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - name: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - namespace: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - resource: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - subresource: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - verb: - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - type: object - user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" - properties: - value: - type: string - valueFrom: - properties: - authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - type: object - required: - - user - type: object - name: - description: Name of the authorization policy. - type: string - opa: - description: Open Policy Agent (OPA) authorization policy. - properties: - externalRegistry: - description: External registry of OPA policies. - properties: - credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). - type: string - sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - type: object - inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. - type: string - type: object - required: - - name - type: object - type: array - denyWith: - description: Custom denial response codes, statuses and headers to - override default 40x's. - properties: - unauthenticated: - description: Denial status customization when the request is unauthenticated. - properties: - code: - description: HTTP status code to override the default denial - status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - type: string - type: object - unauthorized: - description: Denial status customization when the request is unauthorized. - properties: - code: - description: HTTP status code to override the default denial - status code. - format: int64 - maximum: 599 - minimum: 300 - type: integer - headers: - description: HTTP response headers to override the default - denial headers. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by - https://pkg.go.dev/github.com/tidwall/gjson can - be used. The value can be just the pattern with - the path to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve - to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - message: - description: HTTP message to override the default denial message. - type: string - type: object - type: object - hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. - items: - type: string - type: array - identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. - items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' - properties: - apiKey: - properties: - labelSelectors: - additionalProperties: - type: string - description: The map of label selectors used by Authorino - to match secrets from the cluster storing valid credentials - to authenticate to this service - type: object - required: - - labelSelectors - type: object - credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). - properties: - in: - default: authorization_header - description: The location in the request where client credentials - shall be passed on requests authenticating with this identity - source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. - type: string - required: - - keySelector - type: object - extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from the - authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern with - the path to fetch from the authorization JSON (e.g. - ''context.request.http.host'') or a string template - with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!") The following - string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - kubernetes: - properties: - audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. - items: - type: string - type: array - type: object - name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It may as well - be used for this identity config to be referred in some metadata - configs. - type: string - oauth2: - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the OAuth2 - server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - tokenIntrospectionUrl: - description: The full URL of the token introspection endpoint. - type: string - tokenTypeHint: - description: The token type hint for the token introspection. - If omitted, it defaults to "access_token". - type: string - required: - - credentialsRef - - tokenIntrospectionUrl - type: object - oidc: - properties: - endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. - type: string - required: - - endpoint - type: object - required: - - name - type: object - type: array - metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. - items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "userInfo" or "uma".' - properties: - http: - description: Generic HTTP interface to obtain authorization - metadata from a HTTP service. - properties: - bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Use it with method=POST; for GET requests, - specify parameters using placeholders in the endpoint. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - contentType: - default: application/x-www-form-urlencoded - description: Content-Type of the request body. - enum: - - application/x-www-form-urlencoded - - application/json - type: string - credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. - properties: - in: - default: authorization_header - description: The location in the request where client - credentials shall be passed on requests authenticating - with this identity source/authentication mode. - enum: - - authorization_header - - custom_header - - query - - cookie - type: string - keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. - type: string - required: - - keySelector - type: object - endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} - type: string - method: - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' - enum: - - GET - - POST - type: string - sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: The name of the secret in the Authorino's - namespace to select from. - type: string - required: - - key - - name - type: object - required: - - endpoint - type: object - name: - description: The name of the metadata source. Policies of te - authorization phase can refer to this metadata by this value. - type: string - uma: - description: User-Managed Access (UMA) source of resource data. - properties: - credentialsRef: - description: Reference to a Kubernetes secret in the same - namespace, that stores client credentials to the resource - registration API of the UMA server. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. - type: string - required: - - credentialsRef - - endpoint - type: object - userInfo: - description: OpendID Connect UserInfo linked to an OIDC identity - config of this same spec. - properties: - identitySource: - description: The name of an OIDC identity source included - in the "identity" section and whose OpenID Connect configuration - discovered includes the OIDC "userinfo_endpoint" claim. - type: string - required: - - identitySource - type: object - required: - - name - type: object - type: array - response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. - items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' - properties: - json: - properties: - properties: - description: List of JSON property-value pairs to be added - to the dynamic response. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - required: - - properties - type: object - name: - description: Name of the custom response. - type: string - wrapper: - default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata - enum: - - httpHeader - - envoyDynamicMetadata - type: string - wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. - type: string - wristband: - properties: - customClaims: - description: Any claims to be added to the wristband token - apart from the standard JWT claims (iss, iat, exp) added - by default. - items: - properties: - name: - description: The name of the claim - type: string - value: - description: Static value of the claim - x-kubernetes-preserve-unknown-fields: true - valueFrom: - description: Dynamic value of the claim - properties: - authJSON: - description: 'Selector to fill the value from - the authorization JSON. Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The value can be just the pattern - with the path to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or - a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!") - The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, and @base64:encode|decode.' - type: string - type: object - required: - - name - type: object - type: array - issuer: - description: 'The endpoint to the Authorino service that - issues the wristband (format: ://:/, - where = /