From bd8217636e18fe234596bf6d22956b8d93f57bb1 Mon Sep 17 00:00:00 2001 From: David Martin Date: Wed, 13 Nov 2024 12:26:30 +0000 Subject: [PATCH] Update for v1 of Kuadrant CRDs --- config/examples/kube-prometheus/bundle.yaml | 8 +- .../crd/kuadrant.io_authpolicies.yaml | 6519 ++++++++++++++--- .../kuadrant/crd/kuadrant.io_dnspolicies.yaml | 537 +- .../crd/kuadrant.io_ratelimitpolicies.yaml | 511 +- .../kuadrant/crd/kuadrant.io_tlspolicies.yaml | 251 +- .../custom-resource-state-kuadrant.yaml | 8 +- config/kuadrant/custom-resource-state.yaml | 8 +- config/kuadrant/kuadrant.yaml | 102 +- tests/e2e/main_test.go | 24 +- tests/manifests/testauthpolicy1.yaml | 18 +- tests/manifests/testdnspolicy.yaml | 8 +- tests/manifests/testratelimitpolicy.yaml | 17 +- tests/manifests/testtlspolicy.yaml | 2 +- 13 files changed, 6551 insertions(+), 1462 deletions(-) diff --git a/config/examples/kube-prometheus/bundle.yaml b/config/examples/kube-prometheus/bundle.yaml index 5001d7a..c174806 100644 --- a/config/examples/kube-prometheus/bundle.yaml +++ b/config/examples/kube-prometheus/bundle.yaml @@ -1491,7 +1491,7 @@ data: - groupVersionKind: group: kuadrant.io kind: "TLSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_tlspolicy labelsFromPath: name: @@ -1544,7 +1544,7 @@ data: - groupVersionKind: group: kuadrant.io kind: "DNSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_dnspolicy labelsFromPath: name: @@ -1597,7 +1597,7 @@ data: - groupVersionKind: group: kuadrant.io kind: "RateLimitPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_ratelimitpolicy labelsFromPath: name: @@ -1650,7 +1650,7 @@ data: - groupVersionKind: group: kuadrant.io kind: "AuthPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_authpolicy labelsFromPath: name: diff --git a/config/kuadrant/crd/kuadrant.io_authpolicies.yaml b/config/kuadrant/crd/kuadrant.io_authpolicies.yaml index 33bb54b..e0dcf18 100644 --- a/config/kuadrant/crd/kuadrant.io_authpolicies.yaml +++ b/config/kuadrant/crd/kuadrant.io_authpolicies.yaml @@ -2,10 +2,17 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.16.5 + operatorframework.io/installed-alongside-9c917e148c39eb2c: kuadrant-system/kuadrant-operator.v1.0.0-rc4 + labels: + app: kuadrant + gateway.networking.k8s.io/policy: inherited + olm.managed: "true" + operators.coreos.com/kuadrant-operator.kuadrant-system: "" name: authpolicies.kuadrant.io spec: + conversion: + strategy: None group: kuadrant.io names: kind: AuthPolicy @@ -14,48 +21,4634 @@ spec: singular: authpolicy scope: Namespaced versions: - - name: v1beta2 + - additionalPrinterColumns: + - description: AuthPolicy Accepted + jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + priority: 2 + type: string + - description: AuthPolicy Enforced + jsonPath: .status.conditions[?(@.type=="Enforced")].status + name: Enforced + priority: 2 + type: string + - description: Kind of the object to which the policy aaplies + jsonPath: .spec.targetRef.kind + name: TargetKind + priority: 2 + type: string + - description: Name of the object to which the policy applies + jsonPath: .spec.targetRef.name + name: TargetName + priority: 2 + type: string + - description: 'Name of the section within the object to which the policy applies ' + jsonPath: .spec.targetRef.sectionName + name: TargetSection + priority: 2 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: + description: AuthPolicy enables authentication and authorization for service + workloads in a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: - routes: - description: 'Route rules specify the HTTP route attributes that trigger - the external authorization service TODO(@guicassolato): remove – - conditions to trigger the ext-authz service will be computed from - `routeSelectors`' - items: + defaults: + description: |- + Rules to apply as defaults. Can be overridden by more specific policiy rules lower in the hierarchy and by less specific policy overrides. + Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). + properties: + patterns: + additionalProperties: + properties: + allOf: + items: + properties: + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - allOf + type: object + description: Named sets of patterns that can be referred in `when` + conditions and in pattern-matching authorization policy rules. + type: object + rules: + description: |- + The auth rules of the policy. + See Authorino's AuthConfig CRD for more details. + properties: + authentication: + additionalProperties: + properties: + anonymous: + description: Anonymous access. + type: object + apiKey: + description: Authentication based on API keys stored + in Kubernetes secrets. + properties: + allNamespaces: + default: false + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to + match secrets from the cluster storing valid credentials + to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + cache: + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + required: + - key + type: object + credentials: + description: |- + Defines where credentials are required to be passed in the request for authentication based on this config. + If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + defaults: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: |- + Set default property values (claims) for the resolved identity object, that are set before appending the object to + the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). + type: object + jwt: + description: Authentication based on JWT tokens. + properties: + issuerUrl: + description: |- + URL of the issuer of the JWT. + If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + type: string + ttl: + description: |- + Decides how long to wait before refreshing the JWKS (in seconds). + If omitted, Authorino will never refresh the JWKS. + type: integer + type: object + kubernetesTokenReview: + description: Authentication by Kubernetes token review. + properties: + audiences: + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + oauth2Introspection: + description: Authentication by OAuth2 token introspection. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in + the same namespace, that stores client credentials + to the OAuth2 server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: The full URL of the token introspection + endpoint. + type: string + tokenTypeHint: + description: |- + The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - endpoint + type: object + overrides: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: |- + Overrides the resolved identity object by setting the additional properties (claims) specified in this config, + before appending the object to the authorization JSON. + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). + type: object + plain: + description: |- + Identity object extracted from the context. + Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + x509: + description: |- + Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + properties: + allNamespaces: + default: false + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. + type: boolean + selector: + description: |- + Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + description: |- + Authentication configs. + At least one config MUST evaluate to a valid identity object for the auth request to be successful. + maxProperties: 10 + type: object + authorization: + additionalProperties: + properties: + cache: + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + required: + - key + type: object + kubernetesSubjectAccessReview: + description: Authorization by Kubernetes SubjectAccessReview + properties: + groups: + description: Groups the user must be a member of + or, if `user` is omitted, the groups to check + for authorization in the Kubernetes RBAC. + items: + type: string + type: array + resourceAttributes: + description: |- + Use resourceAttributes to check permissions on Kubernetes resources. + If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + properties: + group: + description: |- + API group of the resource. + Use '*' for all API groups. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + description: |- + Resource name + Omit it to check for authorization on all resources of the specified kind. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + namespace: + description: Namespace where the user must have + permissions on the resource. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: |- + Resource kind + Use '*' for all resource kinds. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + subresource: + description: Subresource kind + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + verb: + description: |- + Verb to check for authorization on the resource. + Use '*' for all verbs. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + user: + description: |- + User to check for authorization in the Kubernetes RBAC. + Omit it to check for group authorization only. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + opa: + description: Open Policy Agent (OPA) Rego policy. + properties: + allValues: + default: false + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + type: boolean + externalPolicy: + description: |- + Settings for fetching the OPA policy from an external registry. + Use it alternatively to 'rego'. + For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + properties: + body: + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to + select from. Must be a valid secret + key. + type: string + name: + description: The name of the secret + in the Authorino's namespace to select + from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for + the requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he + OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external + data in the cache before pulled again from + the source. + type: integer + url: + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + urlExpression: + type: string + type: object + rego: + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. + type: string + type: object + patternMatching: + description: Pattern-matching authorization rules. + properties: + patterns: + items: + properties: + all: + description: A list of pattern expressions + to be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions + to be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - patterns + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + spicedb: + description: Authorization decision delegated to external + Authzed/SpiceDB server. + properties: + endpoint: + description: Hostname and port number to the GRPC + interface of the SpiceDB server (e.g. spicedb:50051). + type: string + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + permission: + description: The name of the permission (or relation) + on which to execute the check. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: The resource on which to check the + permission or relation. + properties: + kind: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value + will be used by Authorino to authenticate with + the Authzed service. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for + the permission or relation. + properties: + kind: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - endpoint + type: object + when: + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: |- + Authorization policies. + All policies MUST evaluate to "allowed = true" for the auth request be successful. + maxProperties: 10 + type: object + callbacks: + additionalProperties: + properties: + cache: + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + required: + - key + type: object + http: + description: Settings of the external HTTP request + properties: + body: + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + urlExpression: + type: string + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - http + type: object + description: |- + Callback functions. + Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + maxProperties: 10 + type: object + metadata: + additionalProperties: + properties: + cache: + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + required: + - key + type: object + http: + description: External source of auth metadata via HTTP + request + properties: + body: + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + urlExpression: + type: string + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + uma: + description: User-Managed Access (UMA) source of resource + data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in + the same namespace, that stores client credentials + to the resource registration API of the UMA server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC + authentication config specified in this same AuthConfig. + properties: + identitySource: + description: The name of an OIDC-enabled JWT authentication + config whose OpenID Connect configuration discovered + includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions to + be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions to + be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: |- + Metadata sources. + Authorino fetches auth metadata as JSON from sources specified in this config. + maxProperties: 10 + type: object + response: + description: |- + Response items. + Authorino builds custom responses to the client of the auth request. + properties: + success: + description: |- + Response items to be included in the auth response when the request is authenticated and authorized. + For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + properties: + filters: + additionalProperties: + properties: + cache: + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. + properties: + key: + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the + external data in the cache before pulled + again from the source. + type: integer + required: + - key + type: object + json: + description: |- + JSON object + Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + properties: + properties: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - properties + type: object + key: + description: |- + The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + If omitted, it will be set to the name of the response config. + type: string + metrics: + default: false + description: Whether this config should generate + individual observability metrics + type: boolean + plain: + description: Plain text content + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + priority: + default: 0 + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + type: integer + when: + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + items: + properties: + all: + description: A list of pattern expressions + to be evaluated as a logical AND. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + any: + description: A list of pattern expressions + to be evaluated as a logical OR. + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + operator: + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set + of pattern expressions + type: string + predicate: + type: string + selector: + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. + type: string + value: + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. + type: string + type: object + type: array + wristband: + description: Authorino Festival Wristband token + properties: + customClaims: + additionalProperties: + properties: + expression: + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Any claims to be added to the + wristband token apart from the standard + JWT claims (iss, iat, exp) added by default. + type: object + issuer: + description: 'The endpoint to the Authorino + service that issues the wristband (format: + ://:/, where + = /://:/, where + = /://:/, where + = /://:/, where + = /// 0 interval: + description: Interval defines how frequently this probe should + execute + type: string + path: + description: |- + Path is the path to append to the host to reach the expected health check. + Must start with "?" or "/", contain only valid URL characters and end with alphanumeric char or "/". For example "/" or "/healthz" are common + pattern: ^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$ type: string port: + description: Port to connect to the host on. Must be either 80, + 443 or 1024-49151 type: integer + x-kubernetes-validations: + - message: Only ports 80, 443, 1024-49151 are allowed + rule: self in [80, 443] || (self >= 1024 && self <= 49151) protocol: - description: HealthProtocol represents the protocol to use when - making a health check request + description: Protocol to use when connecting to the host, valid + values are "HTTP" or "HTTPS" type: string + x-kubernetes-validations: + - message: Only HTTP or HTTPS protocols are allowed + rule: self in ['HTTP','HTTPS'] type: object loadBalancing: properties: + defaultGeo: + description: defaultGeo specifies if this is the default geo for + providers that support setting a default catch all geo endpoint + such as Route53. + type: boolean geo: - properties: - defaultGeo: - description: "defaultGeo is the country/continent/region code - to use when no other can be determined for a dns target - cluster. \n The values accepted are determined by the target - dns provider, please refer to the appropriate docs below. - \n Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-geo.html" - type: string - type: object - weighted: - properties: - custom: - items: - properties: - selector: - description: 'Label selector used by MGC to match resource - storing custom weight attribute values e.g. kuadrant.io/lb-attribute-custom-weight: - AWS' - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - weight: - minimum: 0 - type: integer - required: - - selector - type: object - type: array - defaultWeight: - default: 120 - description: "defaultWeight is the record weight to use when - no other can be determined for a dns target cluster. \n - The maximum value accepted is determined by the target dns - provider, please refer to the appropriate docs below. \n - Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html" - minimum: 0 - type: integer - type: object + description: |- + geo value to apply to geo endpoints. + + The values accepted are determined by the target dns provider, please refer to the appropriate docs below. + + Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-geo.html + Google: https://cloud.google.com/compute/docs/regions-zones + Azure: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-geographic-regions + minLength: 2 + type: string + weight: + default: 120 + description: |- + weight value to apply to weighted endpoints. + + The maximum value accepted is determined by the target dns provider, please refer to the appropriate docs below. + + Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html + Google: https://cloud.google.com/dns/docs/overview/ + Azure: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods#weighted-traffic-routing-method + type: integer + required: + - defaultGeo + - geo + - weight type: object + providerRefs: + description: providerRefs is a list of references to provider secrets. + Max is one but intention is to allow this to be more in the future + items: + properties: + name: + minLength: 1 + type: string + required: + - name + type: object + maxItems: 1 + minItems: 1 + type: array targetRef: - description: PolicyTargetReference identifies an API object to apply - policy to. This should be used as part of Policy resources that - can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer - to the policy attachment documentation for Gateway API. + description: targetRef identifies an API object to apply policy to. properties: group: description: Group is the group of the target resource. @@ -178,68 +194,76 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. - maxLength: 63 + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object + x-kubernetes-validations: + - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' + rule: self.group == 'gateway.networking.k8s.io' + - message: Invalid targetRef.kind. The only supported values are 'Gateway' + rule: self.kind == 'Gateway' required: + - providerRefs - targetRef type: object status: description: DNSPolicyStatus defines the observed state of DNSPolicy properties: conditions: - description: "conditions are any conditions associated with the policy - \n If configuring the policy fails, the \"Failed\" condition will - be set with a reason and message describing the cause of the failure." + description: |- + conditions are any conditions associated with the policy + + If configuring the policy fails, the "Failed" condition will be set with a + reason and message describing the cause of the failure. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -254,10 +278,6 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -273,46 +293,36 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the - current state of this API Resource. --- This struct is intended - for direct use as an array at the field path .status.conditions. - \ For example, \n type FooStatus struct{ // Represents the - observations of a foo's current state. // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type - // +patchStrategy=merge // +listType=map // +listMapKey=type - Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` - \n // other fields }" + description: Condition contains details for one aspect of the + current state of this API Resource. properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be - when the underlying condition changed. If that is not - known, then using the time when the API field changed - is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if - .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the - current state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values - and meanings for this field, and whether the values are - considered a guaranteed API. The value should be a CamelCase - string. This field may not be empty. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -327,10 +337,6 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across - resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability - to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -342,17 +348,176 @@ spec: - type type: object type: array + probes: + items: + properties: + conditions: + items: + description: Condition contains details for one aspect + of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, + False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + host: + type: string + id: + type: string + ipAddress: + type: string + synced: + type: boolean + required: + - host + - id + - ipAddress + type: object + type: array type: object observedGeneration: - description: observedGeneration is the most recently observed generation - of the DNSPolicy. When the DNSPolicy is updated, the controller - updates the corresponding configuration. If an update fails, that - failure is recorded in the status condition + description: |- + observedGeneration is the most recently observed generation of the + DNSPolicy. When the DNSPolicy is updated, the controller updates the + corresponding configuration. If an update fails, that failure is + recorded in the status condition format: int64 type: integer + recordConditions: + additionalProperties: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + totalRecords: + description: TotalRecords records the total number of individual DNSRecords + managed by this DNSPolicy + format: int32 + type: integer type: object type: object served: true storage: true subresources: status: {} +status: + acceptedNames: + kind: DNSPolicy + listKind: DNSPolicyList + plural: dnspolicies + singular: dnspolicy + conditions: + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1 diff --git a/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml b/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml index 48e7bf4..4b9b3f2 100644 --- a/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml +++ b/config/kuadrant/crd/kuadrant.io_ratelimitpolicies.yaml @@ -2,10 +2,17 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.16.5 + operatorframework.io/installed-alongside-9c917e148c39eb2c: kuadrant-system/kuadrant-operator.v1.0.0-rc4 + labels: + app: kuadrant + gateway.networking.k8s.io/policy: inherited + olm.managed: "true" + operators.coreos.com/kuadrant-operator.kuadrant-system: "" name: ratelimitpolicies.kuadrant.io spec: + conversion: + strategy: None group: kuadrant.io names: kind: RateLimitPolicy @@ -14,213 +21,433 @@ spec: singular: ratelimitpolicy scope: Namespaced versions: - - name: v1beta2 + - additionalPrinterColumns: + - description: RateLimitPolicy Accepted + jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + priority: 2 + type: string + - description: RateLimitPolicy Enforced + jsonPath: .status.conditions[?(@.type=="Enforced")].status + name: Enforced + priority: 2 + type: string + - description: Kind of the object to which the policy aaplies + jsonPath: .spec.targetRef.kind + name: TargetKind + priority: 2 + type: string + - description: Name of the object to which the policy applies + jsonPath: .spec.targetRef.name + name: TargetName + priority: 2 + type: string + - description: 'Name of the section within the object to which the policy applies ' + jsonPath: .spec.targetRef.sectionName + name: TargetSection + priority: 2 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: - description: RateLimitPolicy is the Schema for the ratelimitpolicies API + description: RateLimitPolicy enables rate limiting for service workloads in + a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: RateLimitPolicySpec defines the desired state of RateLimitPolicy properties: + defaults: + description: |- + Rules to apply as defaults. Can be overridden by more specific policiy rules lower in the hierarchy and by less specific policy overrides. + Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). + properties: + limits: + additionalProperties: + description: Limit represents a complete rate limit configuration + properties: + counters: + description: Counters defines additional rate limit counters + based on CEL expressions which can reference well known + selectors + items: + properties: + expression: + description: |- + Expression defines one CEL expression + Expression can use well known attributes + Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + They are named by a dot-separated path (e.g. request.path) + Example: "request.path" -> The path portion of the URL + minLength: 1 + type: string + required: + - expression + type: object + type: array + rates: + description: Rates holds the list of limit rates + items: + description: Rate defines the actual rate limit that will + be used when there is a match + properties: + limit: + description: Limit defines the max value allowed for + a given period of time + type: integer + window: + description: Window defines the time period for which + the Limit specified above applies. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - limit + - window + type: object + type: array + when: + description: |- + When holds a list of "limit-level" `Predicate`s + Called also "soft" conditions as route selectors must also match + items: + description: Predicate defines one CEL expression that + must be evaluated to bool + properties: + predicate: + minLength: 1 + type: string + required: + - predicate + type: object + type: array + type: object + description: Limits holds the struct of limits indexed by a unique + name + type: object + strategy: + default: atomic + description: Strategy defines the merge strategy to apply when + merging this policy with other policies. + enum: + - atomic + - merge + type: string + when: + description: |- + Overall conditions for the policy to be enforced. + If omitted, the policy will be enforced at all requests to the protected routes. + If present, all conditions must match for the policy to be enforced. + items: + description: Predicate defines one CEL expression that must + be evaluated to bool + properties: + predicate: + minLength: 1 + type: string + required: + - predicate + type: object + type: array + type: object limits: additionalProperties: description: Limit represents a complete rate limit configuration properties: counters: - description: Counters defines additional rate limit counters based on context qualifiers and well known selectors TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on CEL expressions which can reference well known selectors items: - description: 'ContextSelector defines one item from the well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL' - maxLength: 253 - minLength: 1 - type: string + properties: + expression: + description: |- + Expression defines one CEL expression + Expression can use well known attributes + Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + They are named by a dot-separated path (e.g. request.path) + Example: "request.path" -> The path portion of the URL + minLength: 1 + type: string + required: + - expression + type: object type: array rates: description: Rates holds the list of limit rates items: - description: Rate defines the actual rate limit that will be used when there is a match + description: Rate defines the actual rate limit that will + be used when there is a match properties: - duration: - description: Duration defines the time period for which the Limit specified above applies. - type: integer limit: - description: Limit defines the max value allowed for a given period of time + description: Limit defines the max value allowed for a + given period of time type: integer - unit: - description: 'Duration defines the time uni Possible values are: "second", "minute", "hour", "day"' - enum: - - second - - minute - - hour - - day + window: + description: Window defines the time period for which + the Limit specified above applies. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - - duration - limit - - unit - type: object - type: array - routeSelectors: - description: RouteSelectors defines semantics for matching an HTTP request based on conditions - items: - description: RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - properties: - hostnames: - description: Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - items: - description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." - type: string - type: array - matches: - description: Matches define conditions used for matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec - items: - description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n path: value: \"/foo\" headers: - name: \"version\" value \"v1\" \n ```" - properties: - headers: - description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. - items: - description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. - properties: - name: - description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." - type: string - type: - description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." - type: string - value: - description: Value is the value of HTTP Header to be matched. - type: string - required: - - name - - value - type: object - type: array - method: - description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" - type: string - path: - description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. - properties: - type: - description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" - type: string - value: - description: Value of the HTTP path to match against. - type: string - type: object - queryParams: - description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" - items: - description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. - properties: - name: - description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." - type: string - type: - description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." - type: string - value: - description: Value is the value of HTTP query param to be matched. - type: string - required: - - name - - value - type: object - type: array - type: object - type: array + - window type: object type: array when: - description: When holds the list of conditions for the policy to be enforced. Called also "soft" conditions as route selectors must also match + description: |- + When holds a list of "limit-level" `Predicate`s + Called also "soft" conditions as route selectors must also match items: - description: RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteSpec + description: Predicate defines one CEL expression that must + be evaluated to bool properties: - operator: - description: 'The binary operator to be applied to the content fetched from the selector Possible values are: "eq" (equal to), "neq" (not equal to)' - enum: - - eq - - neq - - startswith - - endswith - - incl - - excl - - matches - type: string - selector: - description: Selector defines one item from the well known selectors TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors - maxLength: 253 + predicate: minLength: 1 type: string - value: - description: The value of reference for the comparison. - type: string required: - - operator - - selector - - value + - predicate type: object type: array type: object - description: Limits holds the struct of limits indexed by a unique name + description: Limits holds the struct of limits indexed by a unique + name + type: object + overrides: + description: |- + Rules to apply as overrides. Override all policy rules lower in the hierarchy. Can be overridden by less specific policy overrides. + Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). + properties: + limits: + additionalProperties: + description: Limit represents a complete rate limit configuration + properties: + counters: + description: Counters defines additional rate limit counters + based on CEL expressions which can reference well known + selectors + items: + properties: + expression: + description: |- + Expression defines one CEL expression + Expression can use well known attributes + Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + They are named by a dot-separated path (e.g. request.path) + Example: "request.path" -> The path portion of the URL + minLength: 1 + type: string + required: + - expression + type: object + type: array + rates: + description: Rates holds the list of limit rates + items: + description: Rate defines the actual rate limit that will + be used when there is a match + properties: + limit: + description: Limit defines the max value allowed for + a given period of time + type: integer + window: + description: Window defines the time period for which + the Limit specified above applies. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + required: + - limit + - window + type: object + type: array + when: + description: |- + When holds a list of "limit-level" `Predicate`s + Called also "soft" conditions as route selectors must also match + items: + description: Predicate defines one CEL expression that + must be evaluated to bool + properties: + predicate: + minLength: 1 + type: string + required: + - predicate + type: object + type: array + type: object + description: Limits holds the struct of limits indexed by a unique + name + type: object + strategy: + default: atomic + description: Strategy defines the merge strategy to apply when + merging this policy with other policies. + enum: + - atomic + - merge + type: string + when: + description: |- + Overall conditions for the policy to be enforced. + If omitted, the policy will be enforced at all requests to the protected routes. + If present, all conditions must match for the policy to be enforced. + items: + description: Predicate defines one CEL expression that must + be evaluated to bool + properties: + predicate: + minLength: 1 + type: string + required: + - predicate + type: object + type: array type: object targetRef: - description: TargetRef identifies an API object to apply policy to. + description: Reference to the object to which this policy applies. properties: group: description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string - namespace: - description: Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy. + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object + x-kubernetes-validations: + - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' + rule: self.group == 'gateway.networking.k8s.io' + - message: Invalid targetRef.kind. The only supported values are 'HTTPRoute' + and 'Gateway' + rule: self.kind == 'HTTPRoute' || self.kind == 'Gateway' + when: + description: |- + Overall conditions for the policy to be enforced. + If omitted, the policy will be enforced at all requests to the protected routes. + If present, all conditions must match for the policy to be enforced. + items: + description: Predicate defines one CEL expression that must be evaluated + to bool + properties: + predicate: + minLength: 1 + type: string + required: + - predicate + type: object + type: array required: - targetRef type: object + x-kubernetes-validations: + - message: Implicit and explicit defaults are mutually exclusive + rule: '!(has(self.defaults) && has(self.limits))' + - message: Overrides and explicit defaults are mutually exclusive + rule: '!(has(self.defaults) && has(self.overrides))' + - message: Overrides and implicit defaults are mutually exclusive + rule: '!(has(self.overrides) && has(self.limits))' status: - description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: conditions: - description: 'Represents the observations of a foo''s current state. Known .status.conditions.type are: "Available"' + description: |- + Represents the observations of a foo's current state. + Known .status.conditions.type are: "Available" items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 + minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime @@ -234,7 +461,8 @@ spec: - type x-kubernetes-list-type: map observedGeneration: - description: ObservedGeneration reflects the generation of the most recently observed spec. + description: ObservedGeneration reflects the generation of the most + recently observed spec. format: int64 type: integer type: object @@ -243,3 +471,22 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: RateLimitPolicy + listKind: RateLimitPolicyList + plural: ratelimitpolicies + singular: ratelimitpolicy + conditions: + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1 \ No newline at end of file diff --git a/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml b/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml index 05d8830..41a6635 100644 --- a/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml +++ b/config/kuadrant/crd/kuadrant.io_tlspolicies.yaml @@ -2,11 +2,17 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.16.5 + operatorframework.io/installed-alongside-9c917e148c39eb2c: kuadrant-system/kuadrant-operator.v1.0.0-rc4 + labels: + app: kuadrant gateway.networking.k8s.io/policy: direct - creationTimestamp: null + olm.managed: "true" + operators.coreos.com/kuadrant-operator.kuadrant-system: "" name: tlspolicies.kuadrant.io spec: + conversion: + strategy: None group: kuadrant.io names: kind: TLSPolicy @@ -16,20 +22,48 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - description: TLSPolicy ready. - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready + - description: TLSPolicy Accepted + jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + priority: 2 type: string - name: v1alpha1 + - description: TLSPolicy Enforced + jsonPath: .status.conditions[?(@.type=="Enforced")].status + name: Enforced + priority: 2 + type: string + - description: Type of the referenced Gateway API resource + jsonPath: .spec.targetRef.kind + name: TargetRefKind + priority: 2 + type: string + - description: Name of the referenced Gateway API resource + jsonPath: .spec.targetRef.name + name: TargetRefName + priority: 2 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: description: TLSPolicy is the Schema for the tlspolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -37,13 +71,30 @@ spec: description: TLSPolicySpec defines the desired state of TLSPolicy properties: commonName: - description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: |- + CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + This value is ignored by TLS clients when any subject alt name is set. + This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 type: string duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + The requested 'duration' (i.e. lifetime) of the Certificate. This option + may be ignored/overridden by some issuer types. If unset this defaults to + 90 days. Certificate will be renewed either 2/3 through its duration or + `renewBefore` period before its expiry, whichever is later. Minimum + accepted duration is 1 hour. Value must be in units accepted by Go + time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + description: |- + IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will be used. + If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the + provided name will be used. + The `name` field in this stanza is required at all times. properties: group: description: Group of the resource being referred to. @@ -61,34 +112,81 @@ spec: description: Options to control private keys used for the Certificate. properties: algorithm: - description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + description: |- + Algorithm is the private key algorithm of the corresponding private key + for this certificate. + + If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. + If `algorithm` is specified and `size` is not provided, + key size of 2048 will be used for `RSA` key algorithm and + key size of 256 will be used for `ECDSA` key algorithm. + key size is ignored when using the `Ed25519` key algorithm. enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + description: |- + The private key cryptography standards (PKCS) encoding for this + certificate's private key to be encoded in. + + If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 + and PKCS#8, respectively. + Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + description: |- + RotationPolicy controls how private keys should be regenerated when a + re-issuance is being processed. + + If set to `Never`, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exist but it + does not have the correct algorithm or size, a warning will be raised + to await user intervention. + If set to `Always`, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. + Default is `Never` for backward compatibility. + enum: + - Never + - Always type: string size: - description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + description: |- + Size is the key bit size of the corresponding private key for this certificate. + + If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, + and will default to `2048` if not specified. + If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, + and will default to `256` if not specified. + If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. type: integer type: object renewBefore: - description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of the + issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration + https://golang.org/pkg/time/#ParseDuration type: string revisionHistoryLimit: - description: RevisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + description: |- + RevisionHistoryLimit is the maximum number of CertificateRequest revisions + that are maintained in the Certificate's history. Each revision represents + a single `CertificateRequest` created by this Certificate, either when it + was created, renewed, or Spec was changed. Revisions will be removed by + oldest first if the number of revisions exceeds this number. If set, + revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), + revisions will not be garbage collected. Default value is `nil`. format: int32 type: integer targetRef: - description: PolicyTargetReference identifies an API object to apply policy to. This should be used as part of Policy resources that can target Gateway API resources. For more information on how this policy attachment model works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. + description: TargetRef identifies an API object to apply policy to. properties: group: description: Group is the group of the target resource. @@ -106,21 +204,68 @@ spec: maxLength: 253 minLength: 1 type: string - namespace: - description: Namespace is the namespace of the referent. When unspecified, the local namespace is inferred. Even when policy targets a resource in a different namespace, it MUST only apply to traffic originating from the same namespace as the policy. - maxLength: 63 + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object + x-kubernetes-validations: + - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' + rule: self.group == 'gateway.networking.k8s.io' + - message: Invalid targetRef.kind. The only supported values are 'Gateway' + rule: self.kind == 'Gateway' usages: - description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + description: |- + Usages is the set of x509 usages that are requested for the certificate. + Defaults to `digital signature` and `key encipherment` if not specified. items: - description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"' + description: |- + KeyUsage specifies valid usage contexts for keys. + See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" enum: - signing - digital signature @@ -155,25 +300,42 @@ spec: description: TLSPolicyStatus defines the observed state of TLSPolicy properties: conditions: - description: "conditions are any conditions associated with the policy \n If configuring the policy fails, the \"Failed\" condition will be set with a reason and message describing the cause of the failure." + description: |- + conditions are any conditions associated with the policy + + If configuring the policy fails, the "Failed" condition will be set with a + reason and message describing the cause of the failure. items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ @@ -186,7 +348,7 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -199,7 +361,11 @@ spec: type: object type: array observedGeneration: - description: observedGeneration is the most recently observed generation of the TLSPolicy. When the TLSPolicy is updated, the controller updates the corresponding configuration. If an update fails, that failure is recorded in the status condition + description: |- + observedGeneration is the most recently observed generation of the + TLSPolicy. When the TLSPolicy is updated, the controller updates the + corresponding configuration. If an update fails, that failure is + recorded in the status condition format: int64 type: integer type: object @@ -210,7 +376,20 @@ spec: status: {} status: acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null + kind: TLSPolicy + listKind: TLSPolicyList + plural: tlspolicies + singular: tlspolicy + conditions: + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: "2024-11-11T15:02:31Z" + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1 \ No newline at end of file diff --git a/config/kuadrant/custom-resource-state-kuadrant.yaml b/config/kuadrant/custom-resource-state-kuadrant.yaml index ecb4d68..815b8fa 100644 --- a/config/kuadrant/custom-resource-state-kuadrant.yaml +++ b/config/kuadrant/custom-resource-state-kuadrant.yaml @@ -1,7 +1,7 @@ - groupVersionKind: group: kuadrant.io kind: "TLSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_tlspolicy labelsFromPath: name: @@ -54,7 +54,7 @@ - groupVersionKind: group: kuadrant.io kind: "DNSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_dnspolicy labelsFromPath: name: @@ -107,7 +107,7 @@ - groupVersionKind: group: kuadrant.io kind: "RateLimitPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_ratelimitpolicy labelsFromPath: name: @@ -160,7 +160,7 @@ - groupVersionKind: group: kuadrant.io kind: "AuthPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_authpolicy labelsFromPath: name: diff --git a/config/kuadrant/custom-resource-state.yaml b/config/kuadrant/custom-resource-state.yaml index 2e4013e..0b753f3 100644 --- a/config/kuadrant/custom-resource-state.yaml +++ b/config/kuadrant/custom-resource-state.yaml @@ -506,7 +506,7 @@ spec: - groupVersionKind: group: kuadrant.io kind: "TLSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_tlspolicy labelsFromPath: name: @@ -559,7 +559,7 @@ spec: - groupVersionKind: group: kuadrant.io kind: "DNSPolicy" - version: "v1alpha1" + version: "v1" metricNamePrefix: gatewayapi_dnspolicy labelsFromPath: name: @@ -612,7 +612,7 @@ spec: - groupVersionKind: group: kuadrant.io kind: "RateLimitPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_ratelimitpolicy labelsFromPath: name: @@ -665,7 +665,7 @@ spec: - groupVersionKind: group: kuadrant.io kind: "AuthPolicy" - version: "v1beta2" + version: "v1" metricNamePrefix: gatewayapi_authpolicy labelsFromPath: name: diff --git a/config/kuadrant/kuadrant.yaml b/config/kuadrant/kuadrant.yaml index 509408e..200930c 100644 --- a/config/kuadrant/kuadrant.yaml +++ b/config/kuadrant/kuadrant.yaml @@ -1,4 +1,4 @@ -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: TLSPolicy metadata: name: external @@ -20,7 +20,7 @@ status: status: "True" type: Ready --- -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: TLSPolicy metadata: name: internal @@ -42,12 +42,18 @@ status: status: "True" type: Ready --- -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: DNSPolicy metadata: name: external namespace: istio-system spec: + loadBalancing: + defaultGeo: true + geo: US + weight: 120 + providerRefs: + - name: aws-credentials targetRef: group: gateway.networking.k8s.io kind: Gateway @@ -61,7 +67,7 @@ status: type: Ready observedGeneration: 1 --- -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: name: rlp-www @@ -71,11 +77,18 @@ spec: kind: HTTPRoute name: www limits: - "global": + alice-limit: rates: - - limit: 5 - duration: 10 - unit: second + - limit: 5 + window: 10s + when: + - predicate: auth.identity.userid == 'alice' + bob-limit: + rates: + - limit: 2 + window: 10s + when: + - predicate: auth.identity.userid == 'bob' status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" @@ -84,7 +97,7 @@ status: status: "True" type: Available --- -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: name: rlp-cdn @@ -94,11 +107,18 @@ spec: kind: HTTPRoute name: cdn limits: - "global": + alice-limit: + rates: + - limit: 5 + window: 10s + when: + - predicate: auth.identity.userid == 'alice' + bob-limit: rates: - - limit: 5 - duration: 10 - unit: second + - limit: 2 + window: 10s + when: + - predicate: auth.identity.userid == 'bob' status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" @@ -107,7 +127,7 @@ status: status: "True" type: Available --- -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: name: dashboards-protection @@ -118,29 +138,27 @@ spec: name: dashboards rules: authentication: - "keycloak-users": - jwt: - issuerUrl: http://keycloak.example.com - "k8s-service-accounts": - kubernetesTokenReview: - audiences: - - https://kubernetes.example.com - overrides: - "sub": - selector: auth.identity.user.username - authorization: - "k8s-rbac": - kubernetesSubjectAccessReview: - user: - selector: auth.identity.sub + api-key-users: + apiKey: + allNamespaces: true + selector: + matchLabels: + app: toystore + credentials: + authorizationHeader: + prefix: APIKEY + metrics: false + priority: 0 response: success: - dynamicMetadata: - "identity": + filters: + identity: json: properties: - "userid": - selector: auth.identity.sub + userid: + selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id + metrics: false + priority: 0 status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" @@ -149,7 +167,7 @@ status: status: "True" type: Available --- -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: name: accounts @@ -160,23 +178,27 @@ spec: name: accounts rules: authentication: - "api-key-users": + api-key-users: apiKey: + allNamespaces: true selector: matchLabels: - app: accounts - allNamespaces: true + app: toystore credentials: authorizationHeader: prefix: APIKEY + metrics: false + priority: 0 response: success: - dynamicMetadata: - "identity": + filters: + identity: json: properties: - "userid": + userid: selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id + metrics: false + priority: 0 status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" diff --git a/tests/e2e/main_test.go b/tests/e2e/main_test.go index 461b37c..8b3214f 100644 --- a/tests/e2e/main_test.go +++ b/tests/e2e/main_test.go @@ -547,7 +547,7 @@ func testRateLimitPolicy(t *testing.T, metrics map[string][][]string) { ratelimitpolicy1CreatedLabels := parseLabels(string(ratelimitpolicy1Created[2])) expectEqual(t, ratelimitpolicy1CreatedLabels["customresource_group"], "kuadrant.io", "gatewayapi_ratelimitpolicy_created__1 customresource_group") expectEqual(t, ratelimitpolicy1CreatedLabels["customresource_kind"], "RateLimitPolicy", "gatewayapi_ratelimitpolicy_created__1 customresource_kind") - expectEqual(t, ratelimitpolicy1CreatedLabels["customresource_version"], "v1beta2", "gatewayapi_ratelimitpolicy_created__1 customresource_version") + expectEqual(t, ratelimitpolicy1CreatedLabels["customresource_version"], "v1", "gatewayapi_ratelimitpolicy_created__1 customresource_version") expectEqual(t, ratelimitpolicy1CreatedLabels["name"], "testratelimitpolicy1", "gatewayapi_ratelimitpolicy_created__1 name") expectEqual(t, ratelimitpolicy1CreatedLabels["namespace"], "default", "gatewayapi_ratelimitpolicy_created__1 namespace") @@ -558,7 +558,7 @@ func testRateLimitPolicy(t *testing.T, metrics map[string][][]string) { ratelimitpolicy1ParentInfo1Labels := parseLabels(string(ratelimitpolicy1ParentInfo1[2])) expectEqual(t, ratelimitpolicy1ParentInfo1Labels["customresource_group"], "kuadrant.io", "gatewayapi_ratelimitpolicy_target_info__1 customresource_group") expectEqual(t, ratelimitpolicy1ParentInfo1Labels["customresource_kind"], "RateLimitPolicy", "gatewayapi_ratelimitpolicy_target_info__1 customresource_kind") - expectEqual(t, ratelimitpolicy1ParentInfo1Labels["customresource_version"], "v1beta2", "gatewayapi_ratelimitpolicy_target_info__1 customresource_version") + expectEqual(t, ratelimitpolicy1ParentInfo1Labels["customresource_version"], "v1", "gatewayapi_ratelimitpolicy_target_info__1 customresource_version") expectEqual(t, ratelimitpolicy1ParentInfo1Labels["name"], "testratelimitpolicy1", "gatewayapi_ratelimitpolicy_target_info__1 name") expectEqual(t, ratelimitpolicy1ParentInfo1Labels["namespace"], "default", "gatewayapi_ratelimitpolicy_target_info__1 namespace") expectEqual(t, ratelimitpolicy1ParentInfo1Labels["target_group"], "gateway.networking.k8s.io", "gatewayapi_ratelimitpolicy_target_info__1 target_group") @@ -572,7 +572,7 @@ func testRateLimitPolicy(t *testing.T, metrics map[string][][]string) { ratelimitpolicy1Status1Labels := parseLabels(string(ratelimitpolicy1Status1[2])) expectEqual(t, ratelimitpolicy1Status1Labels["customresource_group"], "kuadrant.io", "gatewayapi_ratelimitpolicy_status__1 customresource_group") expectEqual(t, ratelimitpolicy1Status1Labels["customresource_kind"], "RateLimitPolicy", "gatewayapi_ratelimitpolicy_status__1 customresource_kind") - expectEqual(t, ratelimitpolicy1Status1Labels["customresource_version"], "v1beta2", "gatewayapi_ratelimitpolicy_status__1 customresource_version") + expectEqual(t, ratelimitpolicy1Status1Labels["customresource_version"], "v1", "gatewayapi_ratelimitpolicy_status__1 customresource_version") expectEqual(t, ratelimitpolicy1Status1Labels["name"], "testratelimitpolicy1", "gatewayapi_ratelimitpolicy_status__1 name") expectEqual(t, ratelimitpolicy1Status1Labels["namespace"], "default", "gatewayapi_ratelimitpolicy_status__1 namespace") expectEqual(t, ratelimitpolicy1Status1Labels["type"], "Available", "gatewayapi_ratelimitpolicy_status__1 type") @@ -586,7 +586,7 @@ func testTLSPolicy(t *testing.T, metrics map[string][][]string) { tlspolicy1CreatedLabels := parseLabels(string(tlspolicy1Created[2])) expectEqual(t, tlspolicy1CreatedLabels["customresource_group"], "kuadrant.io", "gatewayapi_tlspolicy_created__1 customresource_group") expectEqual(t, tlspolicy1CreatedLabels["customresource_kind"], "TLSPolicy", "gatewayapi_tlspolicy_created__1 customresource_kind") - expectEqual(t, tlspolicy1CreatedLabels["customresource_version"], "v1alpha1", "gatewayapi_tlspolicy_created__1 customresource_version") + expectEqual(t, tlspolicy1CreatedLabels["customresource_version"], "v1", "gatewayapi_tlspolicy_created__1 customresource_version") expectEqual(t, tlspolicy1CreatedLabels["name"], "testtlspolicy1", "gatewayapi_tlspolicy_created__1 name") expectEqual(t, tlspolicy1CreatedLabels["namespace"], "default", "gatewayapi_tlspolicy_created__1 namespace") @@ -597,7 +597,7 @@ func testTLSPolicy(t *testing.T, metrics map[string][][]string) { tlspolicy1ParentInfo1Labels := parseLabels(string(tlspolicy1ParentInfo1[2])) expectEqual(t, tlspolicy1ParentInfo1Labels["customresource_group"], "kuadrant.io", "gatewayapi_tlspolicy_target_info__1 customresource_group") expectEqual(t, tlspolicy1ParentInfo1Labels["customresource_kind"], "TLSPolicy", "gatewayapi_tlspolicy_target_info__1 customresource_kind") - expectEqual(t, tlspolicy1ParentInfo1Labels["customresource_version"], "v1alpha1", "gatewayapi_tlspolicy_target_info__1 customresource_version") + expectEqual(t, tlspolicy1ParentInfo1Labels["customresource_version"], "v1", "gatewayapi_tlspolicy_target_info__1 customresource_version") expectEqual(t, tlspolicy1ParentInfo1Labels["name"], "testtlspolicy1", "gatewayapi_tlspolicy_target_info__1 name") expectEqual(t, tlspolicy1ParentInfo1Labels["namespace"], "default", "gatewayapi_tlspolicy_target_info__1 namespace") expectEqual(t, tlspolicy1ParentInfo1Labels["target_group"], "gateway.networking.k8s.io", "gatewayapi_tlspolicy_target_info__1 target_group") @@ -611,7 +611,7 @@ func testTLSPolicy(t *testing.T, metrics map[string][][]string) { tlspolicy1Status1Labels := parseLabels(string(tlspolicy1Status1[2])) expectEqual(t, tlspolicy1Status1Labels["customresource_group"], "kuadrant.io", "gatewayapi_tlspolicy_status__1 customresource_group") expectEqual(t, tlspolicy1Status1Labels["customresource_kind"], "TLSPolicy", "gatewayapi_tlspolicy_status__1 customresource_kind") - expectEqual(t, tlspolicy1Status1Labels["customresource_version"], "v1alpha1", "gatewayapi_tlspolicy_status__1 customresource_version") + expectEqual(t, tlspolicy1Status1Labels["customresource_version"], "v1", "gatewayapi_tlspolicy_status__1 customresource_version") expectEqual(t, tlspolicy1Status1Labels["name"], "testtlspolicy1", "gatewayapi_tlspolicy_status__1 name") expectEqual(t, tlspolicy1Status1Labels["namespace"], "default", "gatewayapi_tlspolicy_status__1 namespace") expectEqual(t, tlspolicy1Status1Labels["type"], "Ready", "gatewayapi_tlspolicy_status__1 type") @@ -625,7 +625,7 @@ func testDNSPolicy(t *testing.T, metrics map[string][][]string) { dnspolicy1CreatedLabels := parseLabels(string(dnspolicy1Created[2])) expectEqual(t, dnspolicy1CreatedLabels["customresource_group"], "kuadrant.io", "gatewayapi_dnspolicy_created__1 customresource_group") expectEqual(t, dnspolicy1CreatedLabels["customresource_kind"], "DNSPolicy", "gatewayapi_dnspolicy_created__1 customresource_kind") - expectEqual(t, dnspolicy1CreatedLabels["customresource_version"], "v1alpha1", "gatewayapi_dnspolicy_created__1 customresource_version") + expectEqual(t, dnspolicy1CreatedLabels["customresource_version"], "v1", "gatewayapi_dnspolicy_created__1 customresource_version") expectEqual(t, dnspolicy1CreatedLabels["name"], "testdnspolicy1", "gatewayapi_dnspolicy_created__1 name") expectEqual(t, dnspolicy1CreatedLabels["namespace"], "default", "gatewayapi_dnspolicy_created__1 namespace") @@ -636,7 +636,7 @@ func testDNSPolicy(t *testing.T, metrics map[string][][]string) { dnspolicy1ParentInfo1Labels := parseLabels(string(dnspolicy1ParentInfo1[2])) expectEqual(t, dnspolicy1ParentInfo1Labels["customresource_group"], "kuadrant.io", "gatewayapi_dnspolicy_target_info__1 customresource_group") expectEqual(t, dnspolicy1ParentInfo1Labels["customresource_kind"], "DNSPolicy", "gatewayapi_dnspolicy_target_info__1 customresource_kind") - expectEqual(t, dnspolicy1ParentInfo1Labels["customresource_version"], "v1alpha1", "gatewayapi_dnspolicy_target_info__1 customresource_version") + expectEqual(t, dnspolicy1ParentInfo1Labels["customresource_version"], "v1", "gatewayapi_dnspolicy_target_info__1 customresource_version") expectEqual(t, dnspolicy1ParentInfo1Labels["name"], "testdnspolicy1", "gatewayapi_dnspolicy_target_info__1 name") expectEqual(t, dnspolicy1ParentInfo1Labels["namespace"], "default", "gatewayapi_dnspolicy_target_info__1 namespace") expectEqual(t, dnspolicy1ParentInfo1Labels["target_group"], "gateway.networking.k8s.io", "gatewayapi_dnspolicy_target_info__1 target_group") @@ -650,7 +650,7 @@ func testDNSPolicy(t *testing.T, metrics map[string][][]string) { dnspolicy1Status1Labels := parseLabels(string(dnspolicy1Status1[2])) expectEqual(t, dnspolicy1Status1Labels["customresource_group"], "kuadrant.io", "gatewayapi_dnspolicy_status__1 customresource_group") expectEqual(t, dnspolicy1Status1Labels["customresource_kind"], "DNSPolicy", "gatewayapi_dnspolicy_status__1 customresource_kind") - expectEqual(t, dnspolicy1Status1Labels["customresource_version"], "v1alpha1", "gatewayapi_dnspolicy_status__1 customresource_version") + expectEqual(t, dnspolicy1Status1Labels["customresource_version"], "v1", "gatewayapi_dnspolicy_status__1 customresource_version") expectEqual(t, dnspolicy1Status1Labels["name"], "testdnspolicy1", "gatewayapi_dnspolicy_status__1 name") expectEqual(t, dnspolicy1Status1Labels["namespace"], "default", "gatewayapi_dnspolicy_status__1 namespace") expectEqual(t, dnspolicy1Status1Labels["type"], "Ready", "gatewayapi_dnspolicy_status__1 type") @@ -664,7 +664,7 @@ func testAuthPolicy(t *testing.T, metrics map[string][][]string) { authpolicy1CreatedLabels := parseLabels(string(authpolicy1Created[2])) expectEqual(t, authpolicy1CreatedLabels["customresource_group"], "kuadrant.io", "gatewayapi_authpolicy_created__1 customresource_group") expectEqual(t, authpolicy1CreatedLabels["customresource_kind"], "AuthPolicy", "gatewayapi_authpolicy_created__1 customresource_kind") - expectEqual(t, authpolicy1CreatedLabels["customresource_version"], "v1beta2", "gatewayapi_authpolicy_created__1 customresource_version") + expectEqual(t, authpolicy1CreatedLabels["customresource_version"], "v1", "gatewayapi_authpolicy_created__1 customresource_version") expectEqual(t, authpolicy1CreatedLabels["name"], "testauthpolicy1", "gatewayapi_authpolicy_created__1 name") expectEqual(t, authpolicy1CreatedLabels["namespace"], "default", "gatewayapi_authpolicy_created__1 namespace") @@ -675,7 +675,7 @@ func testAuthPolicy(t *testing.T, metrics map[string][][]string) { authpolicy1ParentInfo1Labels := parseLabels(string(authpolicy1ParentInfo1[2])) expectEqual(t, authpolicy1ParentInfo1Labels["customresource_group"], "kuadrant.io", "gatewayapi_authpolicy_target_info__1 customresource_group") expectEqual(t, authpolicy1ParentInfo1Labels["customresource_kind"], "AuthPolicy", "gatewayapi_authpolicy_target_info__1 customresource_kind") - expectEqual(t, authpolicy1ParentInfo1Labels["customresource_version"], "v1beta2", "gatewayapi_authpolicy_target_info__1 customresource_version") + expectEqual(t, authpolicy1ParentInfo1Labels["customresource_version"], "v1", "gatewayapi_authpolicy_target_info__1 customresource_version") expectEqual(t, authpolicy1ParentInfo1Labels["name"], "testauthpolicy1", "gatewayapi_authpolicy_target_info__1 name") expectEqual(t, authpolicy1ParentInfo1Labels["namespace"], "default", "gatewayapi_authpolicy_target_info__1 namespace") expectEqual(t, authpolicy1ParentInfo1Labels["target_group"], "gateway.networking.k8s.io", "gatewayapi_authpolicy_target_info__1 target_group") @@ -689,7 +689,7 @@ func testAuthPolicy(t *testing.T, metrics map[string][][]string) { authpolicy1Status1Labels := parseLabels(string(authpolicy1Status1[2])) expectEqual(t, authpolicy1Status1Labels["customresource_group"], "kuadrant.io", "gatewayapi_authpolicy_status__1 customresource_group") expectEqual(t, authpolicy1Status1Labels["customresource_kind"], "AuthPolicy", "gatewayapi_authpolicy_status__1 customresource_kind") - expectEqual(t, authpolicy1Status1Labels["customresource_version"], "v1beta2", "gatewayapi_authpolicy_status__1 customresource_version") + expectEqual(t, authpolicy1Status1Labels["customresource_version"], "v1", "gatewayapi_authpolicy_status__1 customresource_version") expectEqual(t, authpolicy1Status1Labels["name"], "testauthpolicy1", "gatewayapi_authpolicy_status__1 name") expectEqual(t, authpolicy1Status1Labels["namespace"], "default", "gatewayapi_authpolicy_status__1 namespace") expectEqual(t, authpolicy1Status1Labels["type"], "Available", "gatewayapi_authpolicy_status__1 type") diff --git a/tests/manifests/testauthpolicy1.yaml b/tests/manifests/testauthpolicy1.yaml index ff5ce70..bede562 100644 --- a/tests/manifests/testauthpolicy1.yaml +++ b/tests/manifests/testauthpolicy1.yaml @@ -1,4 +1,4 @@ -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: AuthPolicy metadata: name: testauthpolicy1 @@ -9,23 +9,27 @@ spec: name: testgateway1 rules: authentication: - "api-key-users": + api-key-users: apiKey: + allNamespaces: true selector: matchLabels: - app: testauthpolicy1 - allNamespaces: true + app: toystore credentials: authorizationHeader: prefix: APIKEY + metrics: false + priority: 0 response: success: - dynamicMetadata: - "identity": + filters: + identity: json: properties: - "userid": + userid: selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id + metrics: false + priority: 0 status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" diff --git a/tests/manifests/testdnspolicy.yaml b/tests/manifests/testdnspolicy.yaml index 129e463..ab84af3 100644 --- a/tests/manifests/testdnspolicy.yaml +++ b/tests/manifests/testdnspolicy.yaml @@ -1,9 +1,15 @@ -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: DNSPolicy metadata: name: testdnspolicy1 namespace: default spec: + loadBalancing: + defaultGeo: true + geo: US + weight: 120 + providerRefs: + - name: aws-credentials targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/tests/manifests/testratelimitpolicy.yaml b/tests/manifests/testratelimitpolicy.yaml index ef8a745..8b8d0a0 100644 --- a/tests/manifests/testratelimitpolicy.yaml +++ b/tests/manifests/testratelimitpolicy.yaml @@ -1,4 +1,4 @@ -apiVersion: kuadrant.io/v1beta2 +apiVersion: kuadrant.io/v1 kind: RateLimitPolicy metadata: name: testratelimitpolicy1 @@ -8,11 +8,18 @@ spec: kind: HTTPRoute name: testname1 limits: - "global": + alice-limit: rates: - - limit: 5 - duration: 10 - unit: second + - limit: 5 + window: 10s + when: + - predicate: auth.identity.userid == 'alice' + bob-limit: + rates: + - limit: 2 + window: 10s + when: + - predicate: auth.identity.userid == 'bob' status: conditions: - lastTransitionTime: "2023-08-21T22:53:08Z" diff --git a/tests/manifests/testtlspolicy.yaml b/tests/manifests/testtlspolicy.yaml index a1f9cb3..4a37b66 100644 --- a/tests/manifests/testtlspolicy.yaml +++ b/tests/manifests/testtlspolicy.yaml @@ -1,4 +1,4 @@ -apiVersion: kuadrant.io/v1alpha1 +apiVersion: kuadrant.io/v1 kind: TLSPolicy metadata: name: testtlspolicy1