diff --git a/api/v1beta2/authpolicy_types.go b/api/v1beta2/authpolicy_types.go index 622878d29..32433559f 100644 --- a/api/v1beta2/authpolicy_types.go +++ b/api/v1beta2/authpolicy_types.go @@ -18,16 +18,19 @@ type AuthSchemeSpec struct { // Authentication configs. // At least one config MUST evaluate to a valid identity object for the auth request to be successful. // +optional + // +kubebuilder:validation:MaxProperties=14 Authentication map[string]AuthenticationSpec `json:"authentication,omitempty"` // Metadata sources. // Authorino fetches auth metadata as JSON from sources specified in this config. // +optional + // +kubebuilder:validation:MaxProperties=14 Metadata map[string]MetadataSpec `json:"metadata,omitempty"` // Authorization policies. // All policies MUST evaluate to "allowed = true" for the auth request be successful. // +optional + // +kubebuilder:validation:MaxProperties=14 Authorization map[string]AuthorizationSpec `json:"authorization,omitempty"` // Response items. @@ -38,6 +41,7 @@ type AuthSchemeSpec struct { // Callback functions. // Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. // +optional + // +kubebuilder:validation:MaxProperties=14 Callbacks map[string]CallbackSpec `json:"callbacks,omitempty"` } @@ -47,6 +51,7 @@ type CommonAuthRuleSpec struct { // At least one selected HTTPRoute rule must match to trigger the auth rule. // If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. // +optional + // +kubebuilder:validation:MaxItems=15 RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"` } @@ -93,11 +98,13 @@ type ResponseSpec struct { type WrappedSuccessResponseSpec struct { // Custom success response items wrapped as HTTP headers. // For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. + // +kubebuilder:validation:MaxProperties=14 Headers map[string]HeaderSuccessResponseSpec `json:"headers,omitempty"` // Custom success response items wrapped as HTTP headers. // For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. // See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata + // +kubebuilder:validation:MaxProperties=14 DynamicMetadata map[string]SuccessResponseSpec `json:"dynamicMetadata,omitempty"` } @@ -133,6 +140,7 @@ type AuthPolicySpec struct { // At least one selected HTTPRoute rule must match to trigger the AuthPolicy. // If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes. // +optional + // +kubebuilder:validation:MaxItems=15 RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"` // Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules. diff --git a/api/v1beta2/ratelimitpolicy_types.go b/api/v1beta2/ratelimitpolicy_types.go index 397420d63..16b13578c 100644 --- a/api/v1beta2/ratelimitpolicy_types.go +++ b/api/v1beta2/ratelimitpolicy_types.go @@ -88,6 +88,7 @@ type WhenCondition struct { type Limit struct { // RouteSelectors defines semantics for matching an HTTP request based on conditions // +optional + // +kubebuilder:validation:MaxItems=15 RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"` // When holds the list of conditions for the policy to be enforced. @@ -119,6 +120,7 @@ type RateLimitPolicySpec struct { // Limits holds the struct of limits indexed by a unique name // +optional + // +kubebuilder:validation:MaxProperties=14 Limits map[string]Limit `json:"limits,omitempty"` } diff --git a/api/v1beta2/route_selectors.go b/api/v1beta2/route_selectors.go index c13c1237a..880ae16be 100644 --- a/api/v1beta2/route_selectors.go +++ b/api/v1beta2/route_selectors.go @@ -19,6 +19,7 @@ type RouteSelector struct { // Matches define conditions used for matching the rule against incoming HTTP requests. // https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec // +optional + // +kubebuilder:validation:MaxItems=8 Matches []gatewayapiv1.HTTPRouteMatch `json:"matches,omitempty"` } diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml index 109bb1dd0..7f90f0029 100644 --- a/config/crd/bases/kuadrant.io_authpolicies.yaml +++ b/config/crd/bases/kuadrant.io_authpolicies.yaml @@ -321,8 +321,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array rules: description: The auth rules of the policy. See Authorino's AuthConfig @@ -875,8 +877,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array when: description: Conditions for Authorino to enforce this config. @@ -1001,6 +1005,7 @@ spec: description: Authentication configs. At least one config MUST evaluate to a valid identity object for the auth request to be successful. + maxProperties: 14 type: object authorization: additionalProperties: @@ -1781,8 +1786,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array spicedb: description: Authorization decision delegated to external @@ -1972,6 +1979,7 @@ spec: type: object description: Authorization policies. All policies MUST evaluate to "allowed = true" for the auth request be successful. + maxProperties: 14 type: object callbacks: additionalProperties: @@ -2499,8 +2507,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array when: description: Conditions for Authorino to enforce this config. @@ -2561,6 +2571,7 @@ spec: description: Callback functions. Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + maxProperties: 14 type: object metadata: additionalProperties: @@ -3088,8 +3099,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array uma: description: User-Managed Access (UMA) source of resource @@ -3184,6 +3197,7 @@ spec: type: object description: Metadata sources. Authorino fetches auth metadata as JSON from sources specified in this config. + maxProperties: 14 type: object response: description: Response items. Authorino builds custom responses @@ -3612,8 +3626,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array when: description: Conditions for Authorino to enforce @@ -3748,6 +3764,7 @@ spec: HTTP headers. For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata. See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata + maxProperties: 14 type: object headers: additionalProperties: @@ -4165,8 +4182,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array when: description: Conditions for Authorino to enforce @@ -4301,6 +4320,7 @@ spec: HTTP headers. For integration of Authorino via proxy, the proxy must use these settings to inject data in the request. + maxProperties: 14 type: object type: object unauthenticated: diff --git a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml index f5de0c798..b1000cb17 100644 --- a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml +++ b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml @@ -345,8 +345,10 @@ spec: - name x-kubernetes-list-type: map type: object + maxItems: 8 type: array type: object + maxItems: 15 type: array when: description: When holds the list of conditions for the policy @@ -388,6 +390,7 @@ spec: type: object description: Limits holds the struct of limits indexed by a unique name + maxProperties: 14 type: object targetRef: description: TargetRef identifies an API object to apply policy to.