diff --git a/Makefile b/Makefile index 7921769f6..4b5fe625d 100644 --- a/Makefile +++ b/Makefile @@ -194,7 +194,7 @@ operator-sdk: $(OPERATOR_SDK) ## Download operator-sdk locally if necessary. CONTROLLER_GEN = $(PROJECT_PATH)/bin/controller-gen $(CONTROLLER_GEN): - $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0) + $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0) .PHONY: controller-gen controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index efbeeb59d..f67cd21cd 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null labels: app: kuadrant @@ -48,14 +48,19 @@ spec: workloads in a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -66,11 +71,9 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -79,16 +82,15 @@ spec: - matches type: string selector: - description: Path selector to fetch content from the authorization - JSON (e.g. 'request.method'). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers are also - supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -96,91 +98,106 @@ spec: conditions and in pattern-matching authorization policy rules. type: object routeSelectors: - description: Top-level route selectors. If present, the elements will - be used to select HTTPRoute rules that, when activated, trigger - the external authorization service. At least one selected HTTPRoute - rule must match to trigger the AuthPolicy. If no route selectors - are specified, the AuthPolicy will be enforced at all requests to - the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service. + At least one selected HTTPRoute rule must match to trigger the AuthPolicy. + If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching an HTTP - request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that should - match against the HTTP Host header to select a HTTPRoute to - process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain name - of a network host. This matches the RFC 1123 definition - of a hostname with 2 notable exceptions: \n 1. IPs are not - allowed. 2. A hostname may be prefixed with a wildcard label - (`*.`). The wildcard label must appear by itself as the - first label. \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network host (e.g. - \"foo.example.com\") or \"wildcard\", which is a domain - name prefixed with a single wildcard label (e.g. `*.example.com`). - \n Note that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters or '-', and - must start and end with an alphanumeric character. No other - punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching the - rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to - match requests to a given action. Multiple match types are - ANDed together, i.e. the match will evaluate to true only - if all conditions are satisfied. \n For example, the match - below will match a HTTP request only if its path starts - with `/foo` AND it contains the `version: v1` header: \n - ``` match: \n path: value: \"/foo\" headers: - name: \"version\" - value \"v1\" \n ```" + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request header matchers. - Multiple match values are ANDed together, meaning, a - request must match all the specified headers to select - the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how to select - a HTTP route by matching HTTP request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the HTTP Header - to be matched. Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent header - names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be - ignored. Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered equivalent. - \n When a header is repeated in an HTTP request, - it is implementation-specific behavior as to how - this is represented. Generally, proxies should - follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, with special - handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match against - the value of the header. \n Support: Core (Exact) - \n Support: Implementation-specific (RegularExpression) - \n Since RegularExpression HeaderMatchType has - implementation-specific conformance, implementations - can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's - documentation to determine the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -201,9 +218,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. When - specified, this route will be matched only if the request - has the specified method. \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -219,15 +240,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path matcher. - If this field is not specified, a default prefix match - on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match against - the path Value. \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -286,48 +312,60 @@ spec: rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified query - parameters to select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes how to select - a HTTP route by matching HTTP query parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name of the HTTP query - param to be matched. This must be an exact string - match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent query - param names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST - be ignored. \n If a query param is repeated in - an HTTP request, the behavior is purposely left - undefined, since different data planes have different - capabilities. However, it is *recommended* that - implementations should match against the first - value of the param if the data plane supports - it, as this behavior is expected in other load - balancing contexts outside of the Gateway API. - \n Users SHOULD NOT route traffic based on repeated - query params to guard themselves against potential - differences in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match against - the value of the query parameter. \n Support: - Extended (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, - PCRE or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -354,8 +392,9 @@ spec: maxItems: 15 type: array rules: - description: The auth rules of the policy. See Authorino's AuthConfig - CRD for more details. + description: |- + The auth rules of the policy. + See Authorino's AuthConfig CRD for more details. properties: authentication: additionalProperties: @@ -369,10 +408,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for API key - secrets in all namespaces or only in the same namespace - as the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match @@ -383,26 +421,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -414,12 +451,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -427,24 +462,20 @@ spec: - selector type: object cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -459,11 +490,9 @@ spec: - key type: object credentials: - description: Defines where credentials are required to be - passed in the request for authentication based on this - config. If omitted, it defaults to credentials passed - in the HTTP Authorization header and the "Bearer" prefix - prepended to the secret credential value. + description: |- + Defines where credentials are required to be passed in the request for authentication based on this config. + If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. properties: authorizationHeader: properties: @@ -496,56 +525,45 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Set default property values (claims) for the - resolved identity object, that are set before appending - the object to the authorization JSON. If the property - is already present in the resolved identity object, the - default value is ignored. It requires the resolved identity - object to always be a JSON object. Do not use this option - with identity objects of other JSON types (array, string, - etc). + description: |- + Set default property values (claims) for the resolved identity object, that are set before appending the object to + the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). type: object jwt: description: Authentication based on JWT tokens. properties: issuerUrl: - description: URL of the issuer of the JWT. If `jwksUrl` - is omitted, Authorino will append the path to the - OpenID Connect Well-Known Discovery endpoint (i.e. - "/.well-known/openid-configuration") to this URL, - to discover the OIDC configuration where to obtain - the "jkws_uri" claim from. The value must coincide - with the value of the "iss" (issuer) claim of the - discovered OpenID Connect configuration. + description: |- + URL of the issuer of the JWT. + If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: - description: Decides how long to wait before refreshing - the JWKS (in seconds). If omitted, Authorino will - never refresh the JWKS. + description: |- + Decides how long to wait before refreshing the JWKS (in seconds). + If omitted, Authorino will never refresh the JWKS. type: integer type: object kubernetesTokenReview: description: Authentication by Kubernetes token review. properties: audiences: - description: The list of audiences (scopes) that must - be claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name - of the requested protected service amongst the audiences. + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array @@ -564,9 +582,10 @@ spec: the OAuth2 server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -575,7 +594,8 @@ spec: endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. + description: |- + The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -586,145 +606,144 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Overrides the resolved identity object by setting - the additional properties (claims) specified in this config, + description: |- + Overrides the resolved identity object by setting the additional properties (claims) specified in this config, before appending the object to the authorization JSON. - It requires the resolved identity object to always be - a JSON object. Do not use this option with identity objects - of other JSON types (array, string, etc). + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). type: object plain: - description: Identity object extracted from the context. - Use this method when authentication is performed beforehand - by a proxy and the resulting object passed to Authorino - as JSON in the auth request. + description: |- + Identity object extracted from the context. + Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve to - patterns (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string required: - selector type: object priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -745,10 +764,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -764,16 +786,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -835,55 +861,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -910,10 +941,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -931,12 +962,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -948,63 +976,57 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array x509: - description: Authentication based on client X.509 certificates. - The certificates presented by the clients must be signed - by a trusted CA whose certificates are stored in Kubernetes - secrets. + description: |- + Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. properties: allNamespaces: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as - the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: - description: Label selector used by Authorino to match - secrets from the cluster storing trusted CA certificates - to validate clients trying to authenticate to this - service + description: |- + Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1016,12 +1038,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1029,33 +1049,29 @@ spec: - selector type: object type: object - description: Authentication configs. At least one config MUST - evaluate to a valid identity object for the auth request to - be successful. + description: |- + Authentication configs. + At least one config MUST evaluate to a valid identity object for the auth request to be successful. maxProperties: 14 type: object authorization: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1080,47 +1096,35 @@ spec: type: string type: array resourceAttributes: - description: Use resourceAttributes to check permissions - on Kubernetes resources. If omitted, it performs a - non-resource SubjectAccessReview, with verb and path - inferred from the request. + description: |- + Use resourceAttributes to check permissions on Kubernetes resources. + If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. properties: group: - description: API group of the resource. Use '*' - for all API groups. + description: |- + API group of the resource. + Use '*' for all API groups. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object name: - description: Resource name Omit it to check for - authorization on all resources of the specified - kind. + description: |- + Resource name + Omit it to check for authorization on all resources of the specified kind. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1131,36 +1135,25 @@ spec: permissions on the resource. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object resource: - description: Resource kind Use '*' for all resource - kinds. + description: |- + Resource kind + Use '*' for all resource kinds. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1170,36 +1163,25 @@ spec: description: Subresource kind properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object verb: - description: Verb to check for authorization on - the resource. Use '*' for all verbs. + description: |- + Verb to check for authorization on the resource. + Use '*' for all verbs. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1207,19 +1189,15 @@ spec: type: object type: object user: - description: User to check for authorization in the - Kubernetes RBAC. Omit it to check for group authorization - only. + description: |- + User to check for authorization in the Kubernetes RBAC. + Omit it to check for group authorization only. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1236,40 +1214,29 @@ spec: properties: allValues: default: false - description: Returns the value of all Rego rules in - the virtual document. Values can be read in subsequent - evaluators/phases of the Auth Pipeline. Otherwise, - only the default `allow` rule will be exposed. Returning - all Rego rules can affect performance of OPA policies - during reconciliation (policy precompile) and at runtime. + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalPolicy: - description: 'Settings for fetching the OPA policy from - an external registry. Use it alternatively to ''rego''. - For the configurations of the HTTP request, the following - options are not implemented: ''method'', ''body'', - ''bodyParameters'', ''contentType'', ''headers'', - ''oauth2''. Use it only with: ''url'', ''sharedSecret'', - ''credentials''.' + description: |- + Settings for fetching the OPA policy from an external registry. + Use it alternatively to 'rego'. + For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set - parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1279,43 +1246,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the - body of the HTTP request. Superseded by 'body'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string - in the 'endpoint' (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with - method=POST; for GET requests, Content-Type is - automatically set to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will - be passed in the request to the service. If omitted, - it defaults to client credentials passed in the - HTTP Authorization header and the "Bearer" prefix - expected prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -1348,16 +1305,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1367,10 +1318,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the - service. Accepted values: GET (default), POST. - When the request method is POST, the authorization - JSON is passed in the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -1388,10 +1338,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until - expired. Set it to false to force fetch the - token at every authorization request regardless - of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1435,11 +1384,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value - will be passed by Authorino in the request. The - HTTP service can use the shared secret to authenticate - the origin of the request. Ignored if used together - with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select @@ -1459,23 +1407,20 @@ spec: source. type: integer url: - description: Endpoint URL of the HTTP service. The - value can include variable placeholders in the - format "{selector}", where "selector" is any pattern - supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url type: object rego: - description: Authorization policy as a Rego language - document. The Rego document must include the "allow" - condition, set by Authorino to "false" by default - (i.e. requests are unauthorized unless changed). The - Rego document must NOT include the "package" declaration - in line 1. + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. type: string type: object patternMatching: @@ -1499,12 +1444,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not equal - to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1517,17 +1459,15 @@ spec: expressions type: string selector: - description: Path selector to fetch content from - the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the - value must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1536,104 +1476,113 @@ spec: type: object priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -1654,10 +1603,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -1673,16 +1625,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -1744,55 +1700,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -1835,14 +1796,10 @@ spec: on which to execute the check. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1855,16 +1812,10 @@ spec: kind: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1873,16 +1824,10 @@ spec: name: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1913,16 +1858,10 @@ spec: kind: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1931,16 +1870,10 @@ spec: name: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1951,10 +1884,10 @@ spec: - endpoint type: object when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1972,12 +1905,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1989,47 +1919,42 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array type: object - description: Authorization policies. All policies MUST evaluate - to "allowed = true" for the auth request be successful. + description: |- + Authorization policies. + All policies MUST evaluate to "allowed = true" for the auth request be successful. maxProperties: 14 type: object callbacks: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2047,21 +1972,16 @@ spec: description: Settings of the external HTTP request properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. Use - it with method=POST; for GET requests, set parameters - as query string in the 'endpoint' (placeholders can - be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2071,42 +1991,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set - to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2139,15 +2050,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2157,10 +2063,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in - the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -2178,9 +2083,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2223,10 +2128,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -2241,11 +2146,11 @@ spec: - name type: object url: - description: Endpoint URL of the HTTP service. The value - can include variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={request.path} + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url @@ -2257,104 +2162,113 @@ spec: type: boolean priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -2375,10 +2289,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -2394,16 +2311,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -2465,55 +2386,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -2540,10 +2466,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -2561,12 +2487,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -2578,50 +2501,44 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - http type: object - description: Callback functions. Authorino sends callbacks at - the end of the auth pipeline to the endpoints specified in this - config. + description: |- + Callback functions. + Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. maxProperties: 14 type: object metadata: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2639,21 +2556,16 @@ spec: description: External source of auth metadata via HTTP request properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. Use - it with method=POST; for GET requests, set parameters - as query string in the 'endpoint' (placeholders can - be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2663,42 +2575,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set - to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2731,15 +2634,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2749,10 +2647,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in - the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -2770,9 +2667,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2815,10 +2712,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -2833,11 +2730,11 @@ spec: - name type: object url: - description: Endpoint URL of the HTTP service. The value - can include variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={request.path} + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url @@ -2849,104 +2746,113 @@ spec: type: boolean priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -2967,10 +2873,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -2986,16 +2895,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -3057,55 +2970,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -3141,16 +3059,17 @@ spec: the resource registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic endpoint: - description: The endpoint of the UMA server. The value - must coincide with the "issuer" claim of the UMA config - discovered from the well-known uma configuration endpoint. + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -3169,10 +3088,10 @@ spec: - identitySource type: object when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -3190,12 +3109,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -3207,60 +3123,52 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array type: object - description: Metadata sources. Authorino fetches auth metadata - as JSON from sources specified in this config. + description: |- + Metadata sources. + Authorino fetches auth metadata as JSON from sources specified in this config. maxProperties: 14 type: object response: - description: Response items. Authorino builds custom responses - to the client of the auth request. + description: |- + Response items. + Authorino builds custom responses to the client of the auth request. properties: success: - description: Response items to be included in the auth response - when the request is authenticated and authorized. For integration - of Authorino via proxy, the proxy must use these settings - to propagate dynamic metadata and/or inject data in the - request. + description: |- + Response items to be included in the auth response when the request is authenticated and authorized. + For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. properties: dynamicMetadata: additionalProperties: properties: cache: - description: Caching options for the resolved object - returned when applying this config. Omit it to - avoid caching objects for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in - the cache. The resolved key must be unique - within the scope of this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3276,25 +3184,18 @@ spec: - key type: object json: - description: JSON object Specify it as the list - of properties of the object, whose values can - combine static values and values selected from - the authorization JSON. + description: |- + JSON object + Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. properties: properties: additionalProperties: properties: selector: - description: 'Simple path selector to - fetch content from the authorization - JSON (e.g. ''request.method'') or a - string template with variables that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino - custom modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3305,10 +3206,9 @@ spec: - properties type: object key: - description: The key used to add the custom response - item (name of the HTTP header or root property - of the Dynamic Metadata object). If omitted, it - will be set to the name of the response config. + description: |- + The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + If omitted, it will be set to the name of the response config. type: string metrics: default: false @@ -3319,16 +3219,10 @@ spec: description: Plain text content properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3336,122 +3230,114 @@ spec: type: object priority: default: 0 - description: Priority group of the config. All configs - in the same priority group are evaluated concurrently; - consecutive priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, - the elements will be used to select HTTPRoute - rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match - to trigger the auth rule. If no route selectors - are specified, the auth rule will be evaluated - at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for - matching an HTTP request based on conditions + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname - that should match against the HTTP Host - header to select a HTTPRoute to process - the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified - domain name of a network host. This matches - the RFC 1123 definition of a hostname - with 2 notable exceptions: \n 1. IPs are - not allowed. 2. A hostname may be prefixed - with a wildcard label (`*.`). The wildcard - label must appear by itself as the first - label. \n Hostname can be \"precise\" - which is a domain name without the terminating - dot of a network host (e.g. \"foo.example.com\") - or \"wildcard\", which is a domain name - prefixed with a single wildcard label - (e.g. `*.example.com`). \n Note that as - per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an - alphanumeric character. No other punctuation - is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used - for matching the rule against incoming HTTP - requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to match requests to a - given action. Multiple match types are - ANDed together, i.e. the match will evaluate - to true only if all conditions are satisfied. - \n For example, the match below will match - a HTTP request only if its path starts + given\naction. Multiple match types are + ANDed together, i.e. the match will\nevaluate + to true only if all conditions are satisfied.\n\n\nFor + example, the match below will match a + HTTP request only if its path\nstarts with `/foo` AND it contains the `version: - v1` header: \n ``` match: \n path: value: - \"/foo\" headers: - name: \"version\" - value \"v1\" \n ```" + v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: + \"version\"\n\t value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP - request header matchers. Multiple - match values are ANDed together, meaning, - a request must match all the specified - headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes - how to select a HTTP route by matching - HTTP request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name - of the HTTP Header to be matched. - Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify - equivalent header names, only - the first entry with an equivalent - name MUST be considered for - a match. Subsequent entries - with an equivalent header name - MUST be ignored. Due to the - case-insensitivity of header - names, \"foo\" and \"Foo\" are - considered equivalent. \n When - a header is repeated in an HTTP - request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow - the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated - header, with special handling - for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how - to match against the value of - the header. \n Support: Core - (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since - RegularExpression HeaderMatchType - has implementation-specific - conformance, implementations - can support POSIX, PCRE or any - other dialects of regular expressions. - Please read the implementation's - documentation to determine the - supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -3472,11 +3358,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP - method matcher. When specified, this - route will be matched only if the - request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -3492,18 +3380,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request - path matcher. If this field is not - specified, a default prefix match - on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how - to match against the path Value. - \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -3574,65 +3464,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies - HTTP query parameter matchers. Multiple - match values are ANDed together, meaning, - a request must match all the specified - query parameters to select the route. - \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching - HTTP query parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name - of the HTTP query param to be - matched. This must be an exact - string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify - equivalent query param names, - only the first entry with an - equivalent name MUST be considered - for a match. Subsequent entries - with an equivalent query param - name MUST be ignored. \n If - a query param is repeated in - an HTTP request, the behavior - is purposely left undefined, - since different data planes - have different capabilities. - However, it is *recommended* - that implementations should - match against the first value - of the param if the data plane - supports it, as this behavior - is expected in other load balancing - contexts outside of the Gateway - API. \n Users SHOULD NOT route - traffic based on repeated query - params to guard themselves against - potential differences in the - implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how - to match against the value of - the query parameter. \n Support: - Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific - conformance, implementations - can support POSIX, PCRE or any - other dialects of regular expressions. - Please read the implementation's - documentation to determine the - supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -3659,11 +3544,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce - this config. If omitted, the config will be enforced - for all requests. If present, all conditions must - match for the config to be enforced; otherwise, - the config will be skipped. + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -3681,13 +3565,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -3700,18 +3580,15 @@ spec: expressions type: string selector: - description: Path selector to fetch content - from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path - modifiers are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the - comparison with the content fetched from - the authorization JSON. If used with the - "matches" operator, the value must compile - to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -3722,16 +3599,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to - fetch content from the authorization - JSON (e.g. ''request.method'') or a - string template with variables that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino - custom modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3748,11 +3619,9 @@ spec: = // matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -466,28 +423,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -500,51 +453,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -557,33 +503,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -596,18 +538,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -626,30 +566,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -661,53 +596,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -719,42 +646,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -763,23 +685,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -790,28 +711,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -824,51 +741,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -881,33 +791,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -921,20 +827,21 @@ spec: anyOf: - type: integer - type: string - description: An eviction is allowed if at most "maxUnavailable" - limitador pods are unavailable after the eviction, i.e. - even in absence of the evicted pod. For example, one can - prevent all voluntary evictions by specifying 0. This is - a mutually exclusive setting with "minAvailable". + description: |- + An eviction is allowed if at most "maxUnavailable" limitador pods + are unavailable after the eviction, i.e. even in absence of + the evicted pod. For example, one can prevent all voluntary evictions + by specifying 0. This is a mutually exclusive setting with "minAvailable". x-kubernetes-int-or-string: true minAvailable: anyOf: - type: integer - type: string - description: An eviction is allowed if at least "minAvailable" - limitador pods will still be available after the eviction, - i.e. even in the absence of the evicted pod. So for example - you can prevent all voluntary evictions by specifying "100%". + description: |- + An eviction is allowed if at least "minAvailable" limitador pods will + still be available after the eviction, i.e. even in the absence of + the evicted pod. So for example you can prevent all voluntary + evictions by specifying "100%". x-kubernetes-int-or-string: true type: object replicas: @@ -944,19 +851,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -972,8 +884,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -982,11 +895,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object storage: @@ -1005,17 +918,18 @@ spec: persistentVolumeClaim: properties: resources: - description: Resources represents the minimum resources - the volume should have. Ignored when VolumeName - field is set + description: |- + Resources represents the minimum resources the volume should have. + Ignored when VolumeName field is set properties: requests: anyOf: - type: integer - type: string - description: 'Storage Resource requests to be - used on the PersistentVolumeClaim. To learn - more about resource requests see: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Storage Resource requests to be used on the PersistentVolumeClaim. + To learn more about resource requests see: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true required: @@ -1032,14 +946,15 @@ spec: redis: properties: configSecretRef: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1047,14 +962,15 @@ spec: redis-cached: properties: configSecretRef: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1085,46 +1001,47 @@ spec: description: KuadrantStatus defines the observed state of Kuadrant properties: conditions: - description: 'Represents the observations of a foo''s current state. - Known .status.conditions.type are: "Available"' + description: |- + Represents the observations of a foo's current state. + Known .status.conditions.type are: "Available" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1138,11 +1055,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml index ea10a06dc..5adb3a30b 100644 --- a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml +++ b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null labels: app: kuadrant @@ -48,14 +48,19 @@ spec: a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -67,15 +72,16 @@ spec: description: Limit represents a complete rate limit configuration properties: counters: - description: Counters defines additional rate limit counters - based on context qualifiers and well known selectors TODO - Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: |- + Counters defines additional rate limit counters based on context qualifiers and well known selectors + TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: 'ContextSelector defines one item from the well - known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: |- + ContextSelector defines one item from the well known attributes + Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL' + Example: "request.path" -> The path portion of the URL maxLength: 253 minLength: 1 type: string @@ -95,8 +101,9 @@ spec: given period of time type: integer unit: - description: 'Duration defines the time uni Possible values - are: "second", "minute", "hour", "day"' + description: |- + Duration defines the time uni + Possible values are: "second", "minute", "hour", "day" enum: - second - minute @@ -113,91 +120,101 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be prefixed - with a wildcard label (`*.`). The wildcard label must - appear by itself as the first label. \n Hostname can - be \"precise\" which is a domain name without the - terminating dot of a network host (e.g. \"foo.example.com\") - or \"wildcard\", which is a domain name prefixed with - a single wildcard label (e.g. `*.example.com`). \n - Note that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters or '-', - and must start and end with an alphanumeric character. - No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given action. Multiple match - types are ANDed together, i.e. the match will evaluate - to true only if all conditions are satisfied. \n For + to match requests to a given\naction. Multiple match + types are ANDed together, i.e. the match will\nevaluate + to true only if all conditions are satisfied.\n\n\nFor example, the match below will match a HTTP request - only if its path starts with `/foo` AND it contains - the `version: v1` header: \n ``` match: \n path: value: - \"/foo\" headers: - name: \"version\" value \"v1\" - \n ```" + only if its path\nstarts with `/foo` AND it contains + the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request header - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how to - select a HTTP route by matching HTTP request + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. properties: name: - description: "Name is the name of the HTTP - Header to be matched. Name matching MUST - be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered for - a match. Subsequent entries with an equivalent - header name MUST be ignored. Due to the - case-insensitivity of header names, \"foo\" - and \"Foo\" are considered equivalent. \n - When a header is repeated in an HTTP request, - it is implementation-specific behavior as - to how this is represented. Generally, proxies - should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n Support: - Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of regular - expressions. Please read the implementation's - documentation to determine the supported - dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -218,10 +235,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched only - if the request has the specified method. \n Support: - Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -237,15 +257,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a default - prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match against - the path Value. \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -306,53 +331,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - query parameters to select the route. \n Support: - Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes how - to select a HTTP route by matching HTTP query - parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name of the HTTP - query param to be matched. This must be - an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with an - equivalent query param name MUST be ignored. - \n If a query param is repeated in an HTTP - request, the behavior is purposely left - undefined, since different data planes have - different capabilities. However, it is *recommended* - that implementations should match against - the first value of the param if the data - plane supports it, as this behavior is expected - in other load balancing contexts outside - of the Gateway API. \n Users SHOULD NOT - route traffic based on repeated query params - to guard themselves against potential differences - in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -379,17 +411,18 @@ spec: maxItems: 15 type: array when: - description: When holds the list of conditions for the policy - to be enforced. Called also "soft" conditions as route selectors - must also match + description: |- + When holds the list of conditions for the policy to be enforced. + Called also "soft" conditions as route selectors must also match items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: 'The binary operator to be applied to the - content fetched from the selector Possible values are: - "eq" (equal to), "neq" (not equal to)' + description: |- + The binary operator to be applied to the content fetched from the selector + Possible values are: "eq" (equal to), "neq" (not equal to) enum: - eq - neq @@ -400,9 +433,9 @@ spec: - matches type: string selector: - description: Selector defines one item from the well known - selectors TODO Document properly "Well-known selector" - https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: |- + Selector defines one item from the well known selectors + TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -440,10 +473,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it MUST only apply to traffic originating from the same + namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -470,46 +504,47 @@ spec: description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: conditions: - description: 'Represents the observations of a foo''s current state. - Known .status.conditions.type are: "Available"' + description: |- + Represents the observations of a foo's current state. + Known .status.conditions.type are: "Available" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -523,11 +558,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/bundle/manifests/kuadrant.io_tlspolicies.yaml b/bundle/manifests/kuadrant.io_tlspolicies.yaml index 1eeeec992..4968eb806 100644 --- a/bundle/manifests/kuadrant.io_tlspolicies.yaml +++ b/bundle/manifests/kuadrant.io_tlspolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null labels: app: kuadrant @@ -42,14 +42,19 @@ spec: description: TLSPolicy is the Schema for the tlspolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -57,26 +62,30 @@ spec: description: TLSPolicySpec defines the desired state of TLSPolicy properties: commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: |- + CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + This value is ignored by TLS clients when any subject alt name is set. + This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 type: string duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If unset - this defaults to 90 days. Certificate will be renewed either 2/3 - through its duration or `renewBefore` period before its expiry, - whichever is later. Minimum accepted duration is 1 hour. Value must - be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + The requested 'duration' (i.e. lifetime) of the Certificate. This option + may be ignored/overridden by some issuer types. If unset this defaults to + 90 days. Certificate will be renewed either 2/3 through its duration or + `renewBefore` period before its expiry, whichever is later. Minimum + accepted duration is 1 hour. Value must be in units accepted by Go + time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. + description: |- + IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer - with the provided name will be used. The `name` field in this stanza - is required at all times. + with the given name in the same namespace as the Certificate will be used. + If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the + provided name will be used. + The `name` field in this stanza is required at all times. properties: group: description: Group of the resource being referred to. @@ -94,75 +103,81 @@ spec: description: Options to control private keys used for the Certificate. properties: algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified - and `size` is not provided, key size of 256 will be used for - `ECDSA` key algorithm and key size of 2048 will be used for - `RSA` key algorithm. key size is ignored when using the `Ed25519` - key algorithm. + description: |- + Algorithm is the private key algorithm of the corresponding private key + for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` + If `algorithm` is specified and `size` is not provided, + key size of 256 will be used for `ECDSA` key algorithm and + key size of 2048 will be used for `RSA` key algorithm. + key size is ignored when using the `Ed25519` key algorithm. enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and - PKCS#8, respectively. Defaults to `PKCS1` if not specified. + description: |- + The private key cryptography standards (PKCS) encoding for this + certificate's private key to be encoded in. + If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 + and PKCS#8, respectively. + Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. + description: |- + RotationPolicy controls how private keys should be regenerated when a + re-issuance is being processed. + If set to Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists but it + does not have the correct algorithm or size, a warning will be raised + to await user intervention. + If set to Always, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. + Default is 'Never' for backward compatibility. enum: - Never - Always type: string size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. If `algorithm` is set to `Ed25519`, Size is ignored. + description: |- + Size is the key bit size of the corresponding private key for this certificate. + If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, + and will default to `2048` if not specified. + If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, + and will default to `256` if not specified. + If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. type: integer type: object renewBefore: - description: How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of - the issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of the + issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration + https://golang.org/pkg/time/#ParseDuration type: string revisionHistoryLimit: - description: RevisionHistoryLimit is the maximum number of CertificateRequest - revisions that are maintained in the Certificate's history. Each - revision represents a single `CertificateRequest` created by this - Certificate, either when it was created, renewed, or Spec was changed. - Revisions will be removed by oldest first if the number of revisions - exceeds this number. If set, revisionHistoryLimit must be a value - of `1` or greater. If unset (`nil`), revisions will not be garbage - collected. Default value is `nil`. + description: |- + RevisionHistoryLimit is the maximum number of CertificateRequest revisions + that are maintained in the Certificate's history. Each revision represents + a single `CertificateRequest` created by this Certificate, either when it + was created, renewed, or Spec was changed. Revisions will be removed by + oldest first if the number of revisions exceeds this number. If set, + revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), + revisions will not be garbage collected. Default value is `nil`. format: int32 type: integer targetRef: - description: PolicyTargetReference identifies an API object to apply - a direct or inherited policy to. This should be used as part of - Policy resources that can target Gateway API resources. For more - information on how this policy attachment model works, and a sample - Policy resource, refer to the policy attachment documentation for - Gateway API. + description: |- + PolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. properties: group: description: Group is the group of the target resource. @@ -181,10 +196,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it MUST only apply to traffic originating from the same + namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -195,19 +211,41 @@ spec: - name type: object usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. + description: |- + Usages is the set of x509 usages that are requested for the certificate. + Defaults to `digital signature` and `key encipherment` if not specified. items: - description: "KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - \n Valid KeyUsage values are as follows: \"signing\", \"digital - signature\", \"content commitment\", \"key encipherment\", \"key - agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", - \"encipher only\", \"decipher only\", \"any\", \"server auth\", - \"client auth\", \"code signing\", \"email protection\", \"s/mime\", - \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", - \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + description: |- + KeyUsage specifies valid usage contexts for keys. + See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" enum: - signing - digital signature @@ -242,47 +280,50 @@ spec: description: TLSPolicyStatus defines the observed state of TLSPolicy properties: conditions: - description: "conditions are any conditions associated with the policy - \n If configuring the policy fails, the \"Failed\" condition will - be set with a reason and message describing the cause of the failure." + description: |- + conditions are any conditions associated with the policy + + + If configuring the policy fails, the "Failed" condition will be set with a + reason and message describing the cause of the failure. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -296,11 +337,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -313,10 +355,11 @@ spec: type: object type: array observedGeneration: - description: observedGeneration is the most recently observed generation - of the TLSPolicy. When the TLSPolicy is updated, the controller - updates the corresponding configuration. If an update fails, that - failure is recorded in the status condition + description: |- + observedGeneration is the most recently observed generation of the + TLSPolicy. When the TLSPolicy is updated, the controller updates the + corresponding configuration. If an update fails, that failure is + recorded in the status condition format: int64 type: integer type: object diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml index f538eb114..0781539d3 100644 --- a/config/crd/bases/kuadrant.io_authpolicies.yaml +++ b/config/crd/bases/kuadrant.io_authpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gateway.networking.k8s.io/policy: direct name: authpolicies.kuadrant.io @@ -47,14 +47,19 @@ spec: workloads in a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -65,11 +70,9 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -78,16 +81,15 @@ spec: - matches type: string selector: - description: Path selector to fetch content from the authorization - JSON (e.g. 'request.method'). Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers are also - supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -95,91 +97,106 @@ spec: conditions and in pattern-matching authorization policy rules. type: object routeSelectors: - description: Top-level route selectors. If present, the elements will - be used to select HTTPRoute rules that, when activated, trigger - the external authorization service. At least one selected HTTPRoute - rule must match to trigger the AuthPolicy. If no route selectors - are specified, the AuthPolicy will be enforced at all requests to - the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service. + At least one selected HTTPRoute rule must match to trigger the AuthPolicy. + If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching an HTTP - request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that should - match against the HTTP Host header to select a HTTPRoute to - process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain name - of a network host. This matches the RFC 1123 definition - of a hostname with 2 notable exceptions: \n 1. IPs are not - allowed. 2. A hostname may be prefixed with a wildcard label - (`*.`). The wildcard label must appear by itself as the - first label. \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network host (e.g. - \"foo.example.com\") or \"wildcard\", which is a domain - name prefixed with a single wildcard label (e.g. `*.example.com`). - \n Note that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters or '-', and - must start and end with an alphanumeric character. No other - punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching the - rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to - match requests to a given action. Multiple match types are - ANDed together, i.e. the match will evaluate to true only - if all conditions are satisfied. \n For example, the match - below will match a HTTP request only if its path starts - with `/foo` AND it contains the `version: v1` header: \n - ``` match: \n path: value: \"/foo\" headers: - name: \"version\" - value \"v1\" \n ```" + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request header matchers. - Multiple match values are ANDed together, meaning, a - request must match all the specified headers to select - the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how to select - a HTTP route by matching HTTP request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the HTTP Header - to be matched. Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent header - names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be - ignored. Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered equivalent. - \n When a header is repeated in an HTTP request, - it is implementation-specific behavior as to how - this is represented. Generally, proxies should - follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, with special - handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match against - the value of the header. \n Support: Core (Exact) - \n Support: Implementation-specific (RegularExpression) - \n Since RegularExpression HeaderMatchType has - implementation-specific conformance, implementations - can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's - documentation to determine the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -200,9 +217,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. When - specified, this route will be matched only if the request - has the specified method. \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -218,15 +239,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path matcher. - If this field is not specified, a default prefix match - on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match against - the path Value. \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -285,48 +311,60 @@ spec: rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified query - parameters to select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes how to select - a HTTP route by matching HTTP query parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name of the HTTP query - param to be matched. This must be an exact string - match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent query - param names, only the first entry with an equivalent - name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST - be ignored. \n If a query param is repeated in - an HTTP request, the behavior is purposely left - undefined, since different data planes have different - capabilities. However, it is *recommended* that - implementations should match against the first - value of the param if the data plane supports - it, as this behavior is expected in other load - balancing contexts outside of the Gateway API. - \n Users SHOULD NOT route traffic based on repeated - query params to guard themselves against potential - differences in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match against - the value of the query parameter. \n Support: - Extended (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, - PCRE or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -353,8 +391,9 @@ spec: maxItems: 15 type: array rules: - description: The auth rules of the policy. See Authorino's AuthConfig - CRD for more details. + description: |- + The auth rules of the policy. + See Authorino's AuthConfig CRD for more details. properties: authentication: additionalProperties: @@ -368,10 +407,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for API key - secrets in all namespaces or only in the same namespace - as the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match @@ -382,26 +420,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -413,12 +450,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -426,24 +461,20 @@ spec: - selector type: object cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -458,11 +489,9 @@ spec: - key type: object credentials: - description: Defines where credentials are required to be - passed in the request for authentication based on this - config. If omitted, it defaults to credentials passed - in the HTTP Authorization header and the "Bearer" prefix - prepended to the secret credential value. + description: |- + Defines where credentials are required to be passed in the request for authentication based on this config. + If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. properties: authorizationHeader: properties: @@ -495,56 +524,45 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Set default property values (claims) for the - resolved identity object, that are set before appending - the object to the authorization JSON. If the property - is already present in the resolved identity object, the - default value is ignored. It requires the resolved identity - object to always be a JSON object. Do not use this option - with identity objects of other JSON types (array, string, - etc). + description: |- + Set default property values (claims) for the resolved identity object, that are set before appending the object to + the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). type: object jwt: description: Authentication based on JWT tokens. properties: issuerUrl: - description: URL of the issuer of the JWT. If `jwksUrl` - is omitted, Authorino will append the path to the - OpenID Connect Well-Known Discovery endpoint (i.e. - "/.well-known/openid-configuration") to this URL, - to discover the OIDC configuration where to obtain - the "jkws_uri" claim from. The value must coincide - with the value of the "iss" (issuer) claim of the - discovered OpenID Connect configuration. + description: |- + URL of the issuer of the JWT. + If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint + (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: - description: Decides how long to wait before refreshing - the JWKS (in seconds). If omitted, Authorino will - never refresh the JWKS. + description: |- + Decides how long to wait before refreshing the JWKS (in seconds). + If omitted, Authorino will never refresh the JWKS. type: integer type: object kubernetesTokenReview: description: Authentication by Kubernetes token review. properties: audiences: - description: The list of audiences (scopes) that must - be claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name - of the requested protected service amongst the audiences. + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array @@ -563,9 +581,10 @@ spec: the OAuth2 server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -574,7 +593,8 @@ spec: endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. + description: |- + The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -585,145 +605,144 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Overrides the resolved identity object by setting - the additional properties (claims) specified in this config, + description: |- + Overrides the resolved identity object by setting the additional properties (claims) specified in this config, before appending the object to the authorization JSON. - It requires the resolved identity object to always be - a JSON object. Do not use this option with identity objects - of other JSON types (array, string, etc). + It requires the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other JSON types (array, string, etc). type: object plain: - description: Identity object extracted from the context. - Use this method when authentication is performed beforehand - by a proxy and the resulting object passed to Authorino - as JSON in the auth request. + description: |- + Identity object extracted from the context. + Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve to - patterns (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string required: - selector type: object priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -744,10 +763,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -763,16 +785,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -834,55 +860,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -909,10 +940,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -930,12 +961,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -947,63 +975,57 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array x509: - description: Authentication based on client X.509 certificates. - The certificates presented by the clients must be signed - by a trusted CA whose certificates are stored in Kubernetes - secrets. + description: |- + Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. properties: allNamespaces: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as - the AuthConfig. Enabling this option in namespaced - Authorino instances has no effect. + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: - description: Label selector used by Authorino to match - secrets from the cluster storing trusted CA certificates - to validate clients trying to authenticate to this - service + description: |- + Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate + clients trying to authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1015,12 +1037,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1028,33 +1048,29 @@ spec: - selector type: object type: object - description: Authentication configs. At least one config MUST - evaluate to a valid identity object for the auth request to - be successful. + description: |- + Authentication configs. + At least one config MUST evaluate to a valid identity object for the auth request to be successful. maxProperties: 14 type: object authorization: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1079,47 +1095,35 @@ spec: type: string type: array resourceAttributes: - description: Use resourceAttributes to check permissions - on Kubernetes resources. If omitted, it performs a - non-resource SubjectAccessReview, with verb and path - inferred from the request. + description: |- + Use resourceAttributes to check permissions on Kubernetes resources. + If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. properties: group: - description: API group of the resource. Use '*' - for all API groups. + description: |- + API group of the resource. + Use '*' for all API groups. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object name: - description: Resource name Omit it to check for - authorization on all resources of the specified - kind. + description: |- + Resource name + Omit it to check for authorization on all resources of the specified kind. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1130,36 +1134,25 @@ spec: permissions on the resource. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object resource: - description: Resource kind Use '*' for all resource - kinds. + description: |- + Resource kind + Use '*' for all resource kinds. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1169,36 +1162,25 @@ spec: description: Subresource kind properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object verb: - description: Verb to check for authorization on - the resource. Use '*' for all verbs. + description: |- + Verb to check for authorization on the resource. + Use '*' for all verbs. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1206,19 +1188,15 @@ spec: type: object type: object user: - description: User to check for authorization in the - Kubernetes RBAC. Omit it to check for group authorization - only. + description: |- + User to check for authorization in the Kubernetes RBAC. + Omit it to check for group authorization only. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1235,40 +1213,29 @@ spec: properties: allValues: default: false - description: Returns the value of all Rego rules in - the virtual document. Values can be read in subsequent - evaluators/phases of the Auth Pipeline. Otherwise, - only the default `allow` rule will be exposed. Returning - all Rego rules can affect performance of OPA policies - during reconciliation (policy precompile) and at runtime. + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalPolicy: - description: 'Settings for fetching the OPA policy from - an external registry. Use it alternatively to ''rego''. - For the configurations of the HTTP request, the following - options are not implemented: ''method'', ''body'', - ''bodyParameters'', ''contentType'', ''headers'', - ''oauth2''. Use it only with: ''url'', ''sharedSecret'', - ''credentials''.' + description: |- + Settings for fetching the OPA policy from an external registry. + Use it alternatively to 'rego'. + For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', + 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set - parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1278,43 +1245,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the - body of the HTTP request. Superseded by 'body'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string - in the 'endpoint' (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with - method=POST; for GET requests, Content-Type is - automatically set to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will - be passed in the request to the service. If omitted, - it defaults to client credentials passed in the - HTTP Authorization header and the "Bearer" prefix - expected prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -1347,16 +1304,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1366,10 +1317,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the - service. Accepted values: GET (default), POST. - When the request method is POST, the authorization - JSON is passed in the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -1387,10 +1337,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until - expired. Set it to false to force fetch the - token at every authorization request regardless - of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1434,11 +1383,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value - will be passed by Authorino in the request. The - HTTP service can use the shared secret to authenticate - the origin of the request. Ignored if used together - with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select @@ -1458,23 +1406,20 @@ spec: source. type: integer url: - description: Endpoint URL of the HTTP service. The - value can include variable placeholders in the - format "{selector}", where "selector" is any pattern - supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url type: object rego: - description: Authorization policy as a Rego language - document. The Rego document must include the "allow" - condition, set by Authorino to "false" by default - (i.e. requests are unauthorized unless changed). The - Rego document must NOT include the "package" declaration - in line 1. + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. type: string type: object patternMatching: @@ -1498,12 +1443,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not equal - to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1516,17 +1458,15 @@ spec: expressions type: string selector: - description: Path selector to fetch content from - the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the - value must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1535,104 +1475,113 @@ spec: type: object priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -1653,10 +1602,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -1672,16 +1624,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -1743,55 +1699,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -1834,14 +1795,10 @@ spec: on which to execute the check. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1854,16 +1811,10 @@ spec: kind: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1872,16 +1823,10 @@ spec: name: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1912,16 +1857,10 @@ spec: kind: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1930,16 +1869,10 @@ spec: name: properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -1950,10 +1883,10 @@ spec: - endpoint type: object when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1971,12 +1904,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1988,47 +1918,42 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array type: object - description: Authorization policies. All policies MUST evaluate - to "allowed = true" for the auth request be successful. + description: |- + Authorization policies. + All policies MUST evaluate to "allowed = true" for the auth request be successful. maxProperties: 14 type: object callbacks: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2046,21 +1971,16 @@ spec: description: Settings of the external HTTP request properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. Use - it with method=POST; for GET requests, set parameters - as query string in the 'endpoint' (placeholders can - be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2070,42 +1990,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set - to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2138,15 +2049,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2156,10 +2062,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in - the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -2177,9 +2082,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2222,10 +2127,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -2240,11 +2145,11 @@ spec: - name type: object url: - description: Endpoint URL of the HTTP service. The value - can include variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={request.path} + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url @@ -2256,104 +2161,113 @@ spec: type: boolean priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -2374,10 +2288,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -2393,16 +2310,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -2464,55 +2385,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -2539,10 +2465,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -2560,12 +2486,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -2577,50 +2500,44 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - http type: object - description: Callback functions. Authorino sends callbacks at - the end of the auth pipeline to the endpoints specified in this - config. + description: |- + Callback functions. + Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. maxProperties: 14 type: object metadata: additionalProperties: properties: cache: - description: Caching options for the resolved object returned - when applying this config. Omit it to avoid caching objects - for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in the cache. - The resolved key must be unique within the scope of - this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2638,21 +2555,16 @@ spec: description: External source of auth metadata via HTTP request properties: body: - description: Raw body of the HTTP request. Supersedes - 'bodyParameters'; use either one or the other. Use - it with method=POST; for GET requests, set parameters - as query string in the 'endpoint' (placeholders can - be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom modifiers - are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2662,42 +2574,33 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: Custom parameters to encode in the body - of the HTTP request. Superseded by 'body'; use either - one or the other. Use it with method=POST; for GET - requests, set parameters as query string in the 'endpoint' - (placeholders can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes - how 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set - to 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2730,15 +2633,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to fetch content - from the authorization JSON (e.g. ''request.method'') - or a string template with variables that resolve - to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -2748,10 +2646,9 @@ spec: type: object method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in - the body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -2769,9 +2666,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2814,10 +2711,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -2832,11 +2729,11 @@ spec: - name type: object url: - description: Endpoint URL of the HTTP service. The value - can include variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. - https://ext-auth-server.io/metadata?p={request.path} + description: |- + Endpoint URL of the HTTP service. + The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url @@ -2848,104 +2745,113 @@ spec: type: boolean priority: default: 0 - description: Priority group of the config. All configs in - the same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, the - elements will be used to select HTTPRoute rules that, - when activated, trigger the auth rule. At least one selected - HTTPRoute rule must match to trigger the auth rule. If - no route selectors are specified, the auth rule will be - evaluated at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be - prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - \n Hostname can be \"precise\" which is a domain - name without the terminating dot of a network - host (e.g. \"foo.example.com\") or \"wildcard\", - which is a domain name prefixed with a single - wildcard label (e.g. `*.example.com`). \n Note - that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given action. Multiple + used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match - will evaluate to true only if all conditions are - satisfied. \n For example, the match below will - match a HTTP request only if its path starts with - `/foo` AND it contains the `version: v1` header: - \n ``` match: \n path: value: \"/foo\" headers: - - name: \"version\" value \"v1\" \n ```" + will\nevaluate to true only if all conditions + are satisfied.\n\n\nFor example, the match below + will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` + header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: + \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request - header matchers. Multiple match values are - ANDed together, meaning, a request must match - all the specified headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how - to select a HTTP route by matching HTTP - request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name of the - HTTP Header to be matched. Name matching - MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent header name MUST be ignored. - Due to the case-insensitivity of header - names, \"foo\" and \"Foo\" are considered - equivalent. \n When a header is repeated - in an HTTP request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow the - guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n - Support: Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of - regular expressions. Please read the - implementation's documentation to determine - the supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -2966,10 +2872,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched - only if the request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -2985,16 +2894,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a - default prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match - against the path Value. \n Support: Core - (Exact, PathPrefix) \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -3056,55 +2969,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query - parameter matchers. Multiple match values - are ANDed together, meaning, a request must - match all the specified query parameters to - select the route. \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching HTTP + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. properties: name: - description: "Name is the name of the - HTTP query param to be matched. This - must be an exact string match. (See + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with - an equivalent query param name MUST - be ignored. \n If a query param is repeated - in an HTTP request, the behavior is - purposely left undefined, since different - data planes have different capabilities. - However, it is *recommended* that implementations - should match against the first value - of the param if the data plane supports - it, as this behavior is expected in - other load balancing contexts outside - of the Gateway API. \n Users SHOULD - NOT route traffic based on repeated - query params to guard themselves against - potential differences in the implementations." + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -3140,16 +3058,17 @@ spec: the resource registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic endpoint: - description: The endpoint of the UMA server. The value - must coincide with the "issuer" claim of the UMA config - discovered from the well-known uma configuration endpoint. + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -3168,10 +3087,10 @@ spec: - identitySource type: object when: - description: Conditions for Authorino to enforce this config. + description: |- + Conditions for Authorino to enforce this config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to - be enforced; otherwise, the config will be skipped. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -3189,12 +3108,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -3206,60 +3122,52 @@ spec: description: Reference to a named set of pattern expressions type: string selector: - description: Path selector to fetch content from the - authorization JSON (e.g. 'request.method'). Any - pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path modifiers - are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array type: object - description: Metadata sources. Authorino fetches auth metadata - as JSON from sources specified in this config. + description: |- + Metadata sources. + Authorino fetches auth metadata as JSON from sources specified in this config. maxProperties: 14 type: object response: - description: Response items. Authorino builds custom responses - to the client of the auth request. + description: |- + Response items. + Authorino builds custom responses to the client of the auth request. properties: success: - description: Response items to be included in the auth response - when the request is authenticated and authorized. For integration - of Authorino via proxy, the proxy must use these settings - to propagate dynamic metadata and/or inject data in the - request. + description: |- + Response items to be included in the auth response when the request is authenticated and authorized. + For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. properties: dynamicMetadata: additionalProperties: properties: cache: - description: Caching options for the resolved object - returned when applying this config. Omit it to - avoid caching objects for this config. + description: |- + Caching options for the resolved object returned when applying this config. + Omit it to avoid caching objects for this config. properties: key: - description: Key used to store the entry in - the cache. The resolved key must be unique - within the scope of this particular config. + description: |- + Key used to store the entry in the cache. + The resolved key must be unique within the scope of this particular config. properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template - with variables that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3275,25 +3183,18 @@ spec: - key type: object json: - description: JSON object Specify it as the list - of properties of the object, whose values can - combine static values and values selected from - the authorization JSON. + description: |- + JSON object + Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. properties: properties: additionalProperties: properties: selector: - description: 'Simple path selector to - fetch content from the authorization - JSON (e.g. ''request.method'') or a - string template with variables that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino - custom modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3304,10 +3205,9 @@ spec: - properties type: object key: - description: The key used to add the custom response - item (name of the HTTP header or root property - of the Dynamic Metadata object). If omitted, it - will be set to the name of the response config. + description: |- + The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). + If omitted, it will be set to the name of the response config. type: string metrics: default: false @@ -3318,16 +3218,10 @@ spec: description: Plain text content properties: selector: - description: 'Simple path selector to fetch - content from the authorization JSON (e.g. - ''request.method'') or a string template with - variables that resolve to patterns (e.g. "Hello, - {auth.identity.name}!"). Any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino custom - modifiers are supported: @extract:{sep:" ",pos:0}, - @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3335,122 +3229,114 @@ spec: type: object priority: default: 0 - description: Priority group of the config. All configs - in the same priority group are evaluated concurrently; - consecutive priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: Top-level route selectors. If present, - the elements will be used to select HTTPRoute - rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match - to trigger the auth rule. If no route selectors - are specified, the auth rule will be evaluated - at all requests to the protected routes. + description: |- + Top-level route selectors. + If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. + At least one selected HTTPRoute rule must match to trigger the auth rule. + If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. items: - description: RouteSelector defines semantics for - matching an HTTP request based on conditions + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname - that should match against the HTTP Host - header to select a HTTPRoute to process - the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified - domain name of a network host. This matches - the RFC 1123 definition of a hostname - with 2 notable exceptions: \n 1. IPs are - not allowed. 2. A hostname may be prefixed - with a wildcard label (`*.`). The wildcard - label must appear by itself as the first - label. \n Hostname can be \"precise\" - which is a domain name without the terminating - dot of a network host (e.g. \"foo.example.com\") - or \"wildcard\", which is a domain name - prefixed with a single wildcard label - (e.g. `*.example.com`). \n Note that as - per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters - or '-', and must start and end with an - alphanumeric character. No other punctuation - is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used - for matching the rule against incoming HTTP - requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to match requests to a - given action. Multiple match types are - ANDed together, i.e. the match will evaluate - to true only if all conditions are satisfied. - \n For example, the match below will match - a HTTP request only if its path starts + given\naction. Multiple match types are + ANDed together, i.e. the match will\nevaluate + to true only if all conditions are satisfied.\n\n\nFor + example, the match below will match a + HTTP request only if its path\nstarts with `/foo` AND it contains the `version: - v1` header: \n ``` match: \n path: value: - \"/foo\" headers: - name: \"version\" - value \"v1\" \n ```" + v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: + \"version\"\n\t value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP - request header matchers. Multiple - match values are ANDed together, meaning, - a request must match all the specified - headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes - how to select a HTTP route by matching - HTTP request headers. + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. properties: name: - description: "Name is the name - of the HTTP Header to be matched. - Name matching MUST be case insensitive. - (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify - equivalent header names, only - the first entry with an equivalent - name MUST be considered for - a match. Subsequent entries - with an equivalent header name - MUST be ignored. Due to the - case-insensitivity of header - names, \"foo\" and \"Foo\" are - considered equivalent. \n When - a header is repeated in an HTTP - request, it is implementation-specific - behavior as to how this is represented. - Generally, proxies should follow - the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated - header, with special handling - for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how - to match against the value of - the header. \n Support: Core - (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since - RegularExpression HeaderMatchType - has implementation-specific - conformance, implementations - can support POSIX, PCRE or any - other dialects of regular expressions. - Please read the implementation's - documentation to determine the - supported dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -3471,11 +3357,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP - method matcher. When specified, this - route will be matched only if the - request has the specified method. - \n Support: Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -3491,18 +3379,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request - path matcher. If this field is not - specified, a default prefix match - on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how - to match against the path Value. - \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific - (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -3573,65 +3463,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies - HTTP query parameter matchers. Multiple - match values are ANDed together, meaning, - a request must match all the specified - query parameters to select the route. - \n Support: Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes - how to select a HTTP route by matching - HTTP query parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name - of the HTTP query param to be - matched. This must be an exact - string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify - equivalent query param names, - only the first entry with an - equivalent name MUST be considered - for a match. Subsequent entries - with an equivalent query param - name MUST be ignored. \n If - a query param is repeated in - an HTTP request, the behavior - is purposely left undefined, - since different data planes - have different capabilities. - However, it is *recommended* - that implementations should - match against the first value - of the param if the data plane - supports it, as this behavior - is expected in other load balancing - contexts outside of the Gateway - API. \n Users SHOULD NOT route - traffic based on repeated query - params to guard themselves against - potential differences in the - implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how - to match against the value of - the query parameter. \n Support: - Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific - conformance, implementations - can support POSIX, PCRE or any - other dialects of regular expressions. - Please read the implementation's - documentation to determine the - supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -3658,11 +3543,10 @@ spec: maxItems: 15 type: array when: - description: Conditions for Authorino to enforce - this config. If omitted, the config will be enforced - for all requests. If present, all conditions must - match for the config to be enforced; otherwise, - the config will be skipped. + description: |- + Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -3680,13 +3564,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied - to the content fetched from the authorization - JSON, for comparison with "value". Possible - values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -3699,18 +3579,15 @@ spec: expressions type: string selector: - description: Path selector to fetch content - from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. Authorino custom JSON path - modifiers are also supported. + description: |- + Path selector to fetch content from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + Authorino custom JSON path modifiers are also supported. type: string value: - description: The value of reference for the - comparison with the content fetched from - the authorization JSON. If used with the - "matches" operator, the value must compile - to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -3721,16 +3598,10 @@ spec: additionalProperties: properties: selector: - description: 'Simple path selector to - fetch content from the authorization - JSON (e.g. ''request.method'') or a - string template with variables that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following Authorino - custom modifiers are supported: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string value: description: Static value @@ -3747,11 +3618,9 @@ spec: = // matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -464,28 +421,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -498,51 +451,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -555,33 +501,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -594,18 +536,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -624,30 +564,25 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -659,53 +594,45 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -717,42 +644,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -761,23 +683,22 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -788,28 +709,24 @@ spec: selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -822,51 +739,44 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -879,33 +789,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -919,20 +825,21 @@ spec: anyOf: - type: integer - type: string - description: An eviction is allowed if at most "maxUnavailable" - limitador pods are unavailable after the eviction, i.e. - even in absence of the evicted pod. For example, one can - prevent all voluntary evictions by specifying 0. This is - a mutually exclusive setting with "minAvailable". + description: |- + An eviction is allowed if at most "maxUnavailable" limitador pods + are unavailable after the eviction, i.e. even in absence of + the evicted pod. For example, one can prevent all voluntary evictions + by specifying 0. This is a mutually exclusive setting with "minAvailable". x-kubernetes-int-or-string: true minAvailable: anyOf: - type: integer - type: string - description: An eviction is allowed if at least "minAvailable" - limitador pods will still be available after the eviction, - i.e. even in the absence of the evicted pod. So for example - you can prevent all voluntary evictions by specifying "100%". + description: |- + An eviction is allowed if at least "minAvailable" limitador pods will + still be available after the eviction, i.e. even in the absence of + the evicted pod. So for example you can prevent all voluntary + evictions by specifying "100%". x-kubernetes-int-or-string: true type: object replicas: @@ -942,19 +849,24 @@ spec: requirements. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -970,8 +882,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -980,11 +893,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object storage: @@ -1003,17 +916,18 @@ spec: persistentVolumeClaim: properties: resources: - description: Resources represents the minimum resources - the volume should have. Ignored when VolumeName - field is set + description: |- + Resources represents the minimum resources the volume should have. + Ignored when VolumeName field is set properties: requests: anyOf: - type: integer - type: string - description: 'Storage Resource requests to be - used on the PersistentVolumeClaim. To learn - more about resource requests see: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Storage Resource requests to be used on the PersistentVolumeClaim. + To learn more about resource requests see: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true required: @@ -1030,14 +944,15 @@ spec: redis: properties: configSecretRef: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1045,14 +960,15 @@ spec: redis-cached: properties: configSecretRef: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1083,46 +999,47 @@ spec: description: KuadrantStatus defines the observed state of Kuadrant properties: conditions: - description: 'Represents the observations of a foo''s current state. - Known .status.conditions.type are: "Available"' + description: |- + Represents the observations of a foo's current state. + Known .status.conditions.type are: "Available" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1136,11 +1053,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml index 0ea704e41..1c722597c 100644 --- a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml +++ b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gateway.networking.k8s.io/policy: direct name: ratelimitpolicies.kuadrant.io @@ -47,14 +47,19 @@ spec: a Gateway API network properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -66,15 +71,16 @@ spec: description: Limit represents a complete rate limit configuration properties: counters: - description: Counters defines additional rate limit counters - based on context qualifiers and well known selectors TODO - Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: |- + Counters defines additional rate limit counters based on context qualifiers and well known selectors + TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: 'ContextSelector defines one item from the well - known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: |- + ContextSelector defines one item from the well known attributes + Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL' + Example: "request.path" -> The path portion of the URL maxLength: 253 minLength: 1 type: string @@ -94,8 +100,9 @@ spec: given period of time type: integer unit: - description: 'Duration defines the time uni Possible values - are: "second", "minute", "hour", "day"' + description: |- + Duration defines the time uni + Possible values are: "second", "minute", "hour", "day" enum: - second - minute @@ -112,91 +119,101 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: Hostnames defines a set of hostname that - should match against the HTTP Host header to select - a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: "Hostname is the fully qualified domain - name of a network host. This matches the RFC 1123 - definition of a hostname with 2 notable exceptions: - \n 1. IPs are not allowed. 2. A hostname may be prefixed - with a wildcard label (`*.`). The wildcard label must - appear by itself as the first label. \n Hostname can - be \"precise\" which is a domain name without the - terminating dot of a network host (e.g. \"foo.example.com\") - or \"wildcard\", which is a domain name prefixed with - a single wildcard label (e.g. `*.example.com`). \n - Note that as per RFC1035 and RFC1123, a *label* must - consist of lower case alphanumeric characters or '-', - and must start and end with an alphanumeric character. - No other punctuation is allowed." + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: Matches define conditions used for matching - the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + Matches define conditions used for matching the rule against incoming HTTP requests. + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given action. Multiple match - types are ANDed together, i.e. the match will evaluate - to true only if all conditions are satisfied. \n For + to match requests to a given\naction. Multiple match + types are ANDed together, i.e. the match will\nevaluate + to true only if all conditions are satisfied.\n\n\nFor example, the match below will match a HTTP request - only if its path starts with `/foo` AND it contains - the `version: v1` header: \n ``` match: \n path: value: - \"/foo\" headers: - name: \"version\" value \"v1\" - \n ```" + only if its path\nstarts with `/foo` AND it contains + the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" properties: headers: - description: Headers specifies HTTP request header - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - headers to select the route. + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. items: - description: HTTPHeaderMatch describes how to - select a HTTP route by matching HTTP request + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. properties: name: - description: "Name is the name of the HTTP - Header to be matched. Name matching MUST - be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - \n If multiple entries specify equivalent - header names, only the first entry with - an equivalent name MUST be considered for - a match. Subsequent entries with an equivalent - header name MUST be ignored. Due to the - case-insensitivity of header names, \"foo\" - and \"Foo\" are considered equivalent. \n - When a header is repeated in an HTTP request, - it is implementation-specific behavior as - to how this is represented. Generally, proxies - should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 - regarding processing a repeated header, - with special handling for \"Set-Cookie\"." + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the header. \n Support: - Core (Exact) \n Support: Implementation-specific - (RegularExpression) \n Since RegularExpression - HeaderMatchType has implementation-specific - conformance, implementations can support - POSIX, PCRE or any other dialects of regular - expressions. Please read the implementation's - documentation to determine the supported - dialect." + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. enum: - Exact - RegularExpression @@ -217,10 +234,13 @@ spec: - name x-kubernetes-list-type: map method: - description: "Method specifies HTTP method matcher. - When specified, this route will be matched only - if the request has the specified method. \n Support: - Extended" + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended enum: - GET - HEAD @@ -236,15 +256,20 @@ spec: default: type: PathPrefix value: / - description: Path specifies a HTTP request path - matcher. If this field is not specified, a default - prefix match on the "/" path is provided. + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: "Type specifies how to match against - the path Value. \n Support: Core (Exact, PathPrefix) - \n Support: Implementation-specific (RegularExpression)" + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) enum: - Exact - PathPrefix @@ -305,53 +330,60 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: "QueryParams specifies HTTP query parameter - matchers. Multiple match values are ANDed together, - meaning, a request must match all the specified - query parameters to select the route. \n Support: - Extended" + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended items: - description: HTTPQueryParamMatch describes how - to select a HTTP route by matching HTTP query - parameters. + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. properties: name: - description: "Name is the name of the HTTP - query param to be matched. This must be - an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - \n If multiple entries specify equivalent - query param names, only the first entry - with an equivalent name MUST be considered - for a match. Subsequent entries with an - equivalent query param name MUST be ignored. - \n If a query param is repeated in an HTTP - request, the behavior is purposely left - undefined, since different data planes have - different capabilities. However, it is *recommended* - that implementations should match against - the first value of the param if the data - plane supports it, as this behavior is expected - in other load balancing contexts outside - of the Gateway API. \n Users SHOULD NOT - route traffic based on repeated query params - to guard themselves against potential differences - in the implementations." + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: "Type specifies how to match - against the value of the query parameter. - \n Support: Extended (Exact) \n Support: - Implementation-specific (RegularExpression) - \n Since RegularExpression QueryParamMatchType - has Implementation-specific conformance, - implementations can support POSIX, PCRE - or any other dialects of regular expressions. - Please read the implementation's documentation - to determine the supported dialect." + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. enum: - Exact - RegularExpression @@ -378,17 +410,18 @@ spec: maxItems: 15 type: array when: - description: When holds the list of conditions for the policy - to be enforced. Called also "soft" conditions as route selectors - must also match + description: |- + When holds the list of conditions for the policy to be enforced. + Called also "soft" conditions as route selectors must also match items: - description: RouteSelector defines semantics for matching - an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: |- + RouteSelector defines semantics for matching an HTTP request based on conditions + https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: 'The binary operator to be applied to the - content fetched from the selector Possible values are: - "eq" (equal to), "neq" (not equal to)' + description: |- + The binary operator to be applied to the content fetched from the selector + Possible values are: "eq" (equal to), "neq" (not equal to) enum: - eq - neq @@ -399,9 +432,9 @@ spec: - matches type: string selector: - description: Selector defines one item from the well known - selectors TODO Document properly "Well-known selector" - https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: |- + Selector defines one item from the well known selectors + TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -439,10 +472,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it MUST only apply to traffic originating from the same + namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -469,46 +503,47 @@ spec: description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: conditions: - description: 'Represents the observations of a foo''s current state. - Known .status.conditions.type are: "Available"' + description: |- + Represents the observations of a foo's current state. + Known .status.conditions.type are: "Available" items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -522,11 +557,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/bases/kuadrant.io_tlspolicies.yaml b/config/crd/bases/kuadrant.io_tlspolicies.yaml index c1ff4a1ce..8cc9ed990 100644 --- a/config/crd/bases/kuadrant.io_tlspolicies.yaml +++ b/config/crd/bases/kuadrant.io_tlspolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gateway.networking.k8s.io/policy: direct name: tlspolicies.kuadrant.io @@ -41,14 +41,19 @@ spec: description: TLSPolicy is the Schema for the tlspolicies API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,26 +61,30 @@ spec: description: TLSPolicySpec defines the desired state of TLSPolicy properties: commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: |- + CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + This value is ignored by TLS clients when any subject alt name is set. + This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 type: string duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If unset - this defaults to 90 days. Certificate will be renewed either 2/3 - through its duration or `renewBefore` period before its expiry, - whichever is later. Minimum accepted duration is 1 hour. Value must - be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + The requested 'duration' (i.e. lifetime) of the Certificate. This option + may be ignored/overridden by some issuer types. If unset this defaults to + 90 days. Certificate will be renewed either 2/3 through its duration or + `renewBefore` period before its expiry, whichever is later. Minimum + accepted duration is 1 hour. Value must be in units accepted by Go + time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. + description: |- + IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer - with the provided name will be used. The `name` field in this stanza - is required at all times. + with the given name in the same namespace as the Certificate will be used. + If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the + provided name will be used. + The `name` field in this stanza is required at all times. properties: group: description: Group of the resource being referred to. @@ -93,75 +102,81 @@ spec: description: Options to control private keys used for the Certificate. properties: algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified - and `size` is not provided, key size of 256 will be used for - `ECDSA` key algorithm and key size of 2048 will be used for - `RSA` key algorithm. key size is ignored when using the `Ed25519` - key algorithm. + description: |- + Algorithm is the private key algorithm of the corresponding private key + for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` + If `algorithm` is specified and `size` is not provided, + key size of 256 will be used for `ECDSA` key algorithm and + key size of 2048 will be used for `RSA` key algorithm. + key size is ignored when using the `Ed25519` key algorithm. enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and - PKCS#8, respectively. Defaults to `PKCS1` if not specified. + description: |- + The private key cryptography standards (PKCS) encoding for this + certificate's private key to be encoded in. + If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 + and PKCS#8, respectively. + Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. + description: |- + RotationPolicy controls how private keys should be regenerated when a + re-issuance is being processed. + If set to Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists but it + does not have the correct algorithm or size, a warning will be raised + to await user intervention. + If set to Always, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. + Default is 'Never' for backward compatibility. enum: - Never - Always type: string size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. If `algorithm` is set to `Ed25519`, Size is ignored. + description: |- + Size is the key bit size of the corresponding private key for this certificate. + If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, + and will default to `2048` if not specified. + If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, + and will default to `256` if not specified. + If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. type: integer type: object renewBefore: - description: How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of - the issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: |- + How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of the + issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration + https://golang.org/pkg/time/#ParseDuration type: string revisionHistoryLimit: - description: RevisionHistoryLimit is the maximum number of CertificateRequest - revisions that are maintained in the Certificate's history. Each - revision represents a single `CertificateRequest` created by this - Certificate, either when it was created, renewed, or Spec was changed. - Revisions will be removed by oldest first if the number of revisions - exceeds this number. If set, revisionHistoryLimit must be a value - of `1` or greater. If unset (`nil`), revisions will not be garbage - collected. Default value is `nil`. + description: |- + RevisionHistoryLimit is the maximum number of CertificateRequest revisions + that are maintained in the Certificate's history. Each revision represents + a single `CertificateRequest` created by this Certificate, either when it + was created, renewed, or Spec was changed. Revisions will be removed by + oldest first if the number of revisions exceeds this number. If set, + revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), + revisions will not be garbage collected. Default value is `nil`. format: int32 type: integer targetRef: - description: PolicyTargetReference identifies an API object to apply - a direct or inherited policy to. This should be used as part of - Policy resources that can target Gateway API resources. For more - information on how this policy attachment model works, and a sample - Policy resource, refer to the policy attachment documentation for - Gateway API. + description: |- + PolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. properties: group: description: Group is the group of the target resource. @@ -180,10 +195,11 @@ spec: minLength: 1 type: string namespace: - description: Namespace is the namespace of the referent. When - unspecified, the local namespace is inferred. Even when policy - targets a resource in a different namespace, it MUST only apply - to traffic originating from the same namespace as the policy. + description: |- + Namespace is the namespace of the referent. When unspecified, the local + namespace is inferred. Even when policy targets a resource in a different + namespace, it MUST only apply to traffic originating from the same + namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -194,19 +210,41 @@ spec: - name type: object usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. + description: |- + Usages is the set of x509 usages that are requested for the certificate. + Defaults to `digital signature` and `key encipherment` if not specified. items: - description: "KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - \n Valid KeyUsage values are as follows: \"signing\", \"digital - signature\", \"content commitment\", \"key encipherment\", \"key - agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", - \"encipher only\", \"decipher only\", \"any\", \"server auth\", - \"client auth\", \"code signing\", \"email protection\", \"s/mime\", - \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", - \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + description: |- + KeyUsage specifies valid usage contexts for keys. + See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" enum: - signing - digital signature @@ -241,47 +279,50 @@ spec: description: TLSPolicyStatus defines the observed state of TLSPolicy properties: conditions: - description: "conditions are any conditions associated with the policy - \n If configuring the policy fails, the \"Failed\" condition will - be set with a reason and message describing the cause of the failure." + description: |- + conditions are any conditions associated with the policy + + + If configuring the policy fails, the "Failed" condition will be set with a + reason and message describing the cause of the failure. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -295,11 +336,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -312,10 +354,11 @@ spec: type: object type: array observedGeneration: - description: observedGeneration is the most recently observed generation - of the TLSPolicy. When the TLSPolicy is updated, the controller - updates the corresponding configuration. If an update fails, that - failure is recorded in the status condition + description: |- + observedGeneration is the most recently observed generation of the + TLSPolicy. When the TLSPolicy is updated, the controller updates the + corresponding configuration. If an update fails, that failure is + recorded in the status condition format: int64 type: integer type: object