diff --git a/config/default/custom-resource-state.yaml b/config/default/custom-resource-state.yaml index c6b5070..eaffa65 100644 --- a/config/default/custom-resource-state.yaml +++ b/config/default/custom-resource-state.yaml @@ -607,4 +607,57 @@ spec: target_group: ["group"] target_kind: ["kind"] target_name: ["name"] - target_namespace: ["namespace"] \ No newline at end of file + target_namespace: ["namespace"] + - groupVersionKind: + group: kuadrant.io + kind: "AuthPolicy" + version: "v1beta2" + metricNamePrefix: gatewayapi_authpolicy + labelsFromPath: + name: + - metadata + - name + namespace: + - metadata + - namespace + metrics: + - name: "labels" + help: "Kubernetes labels converted to Prometheus labels." + each: + type: Info + info: + path: [metadata] + labelsFromPath: + "*": [labels] + - name: "created" + help: "created timestamp" + each: + type: Gauge + gauge: + path: [metadata, creationTimestamp] + - name: "deleted" + help: "deletion timestamp" + each: + type: Gauge + gauge: + path: [metadata, deletionTimestamp] + - name: "target_info" + help: "Target references that the authpolicy wants to be attached to" + each: + type: Info + info: + path: [spec, targetRef] + labelsFromPath: + target_group: ["group"] + target_kind: ["kind"] + target_name: ["name"] + target_namespace: ["namespace"] + - name: "status" + help: "status condition" + each: + type: Gauge + gauge: + path: [status, conditions] + labelsFromPath: + type: ["type"] + valueFrom: ["status"] \ No newline at end of file diff --git a/config/examples/dashboards/policies.json b/config/examples/dashboards/policies.json index 7780a90..136a476 100644 --- a/config/examples/dashboards/policies.json +++ b/config/examples/dashboards/policies.json @@ -89,7 +89,7 @@ { "matcher": { "id": "byName", - "options": "Target Kind" + "options": "Target Name" }, "properties": [ { @@ -100,8 +100,8 @@ "id": "links", "value": [ { - "title": "TLSPolicy Details", - "url": "/d/gatewayapigateways/gateway-api-state-gateways?var-tlspolicy=${__value.text}" + "title": "Gateway Details", + "url": "/d/gatewayapigateways/gateway-api-state-gateways?var-gateway=${__value.text}" } ] } @@ -231,7 +231,7 @@ { "matcher": { "id": "byName", - "options": "Target Kind" + "options": "Target Name" }, "properties": [ { @@ -242,8 +242,8 @@ "id": "links", "value": [ { - "title": "RateLimitPolicy Details", - "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-ratelimitpolicy=${__value.text}" + "title": "HTTPRoute Details", + "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}" } ] } @@ -306,6 +306,148 @@ "y": 8 }, "id": 9, + "title": "AuthPolicy", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total number of AuthPolicy across all clusters", + "gridPos": { + "h": 3, + "w": 2, + "x": 0, + "y": 9 + }, + "id": 10, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_authpolicy_status{name=~\"${authpolicy}\"})", + "instant": true + } + ], + "title": "Total", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total AuthPolicy with an Available state", + "gridPos": { + "h": 3, + "w": 2, + "x": 2, + "y": 9 + }, + "id": 11, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_authpolicy_status{type=\"Available\", name=~\"${authpolicy}\"})", + "instant": true + } + ], + "title": "Available", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Target Name" + }, + "properties": [ + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "links", + "value": [ + { + "title": "HTTPRoute Details", + "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}" + } + ] + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 10, + "x": 4, + "y": 9 + }, + "id": 12, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "gatewayapi_authpolicy_target_info{name=~\"${authpolicy}\"}", + "format": "table", + "instant": true, + "range": false + } + ], + "title": "AuthPolicy", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "name", + "target_kind", + "target_name" + ] + } + } + }, + { + "id": "organize", + "options": { + "renameByName": { + "name": "Name", + "target_kind": "Target Kind", + "target_name": "Target Name" + } + } + } + ], + "type": "table" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 13, "title": "BackendTLSPolicy", "type": "row" }, @@ -321,9 +463,9 @@ "h": 6, "w": 10, "x": 4, - "y": 9 + "y": 10 }, - "id": 10, + "id": 14, "pluginVersion": "v10.0.0", "targets": [ { @@ -411,6 +553,22 @@ "regex": "/(.*)/", "type": "query" }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "includeAll": true, + "label": "AuthPolicy", + "multi": true, + "name": "authpolicy", + "query": { + "query": "label_values(gatewayapi_authpolicy_created, name)", + "refId": "StandardVariableQuery" + }, + "regex": "/(.*)/", + "type": "query" + }, { "datasource": { "type": "prometheus", diff --git a/config/examples/dashboards/policies.yaml b/config/examples/dashboards/policies.yaml index 9eec624..a09c8f1 100644 --- a/config/examples/dashboards/policies.yaml +++ b/config/examples/dashboards/policies.yaml @@ -7,4 +7,4 @@ spec: matchLabels: dashboards: "grafana" json: > - {"editable":false,"links":[{"asDropdown":false,"includeVars":true,"keepTime":true,"tags":["gateway-api-state"],"targetBlank":false,"title":"Gateway Dashboards","type":"dashboards"}],"panels":[{"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"title":"TLSPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total number of TLSPolicy across all clusters","gridPos":{"h":3,"w":2,"x":0,"y":1},"id":2,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_tlspolicy_status{name=~\"${tlspolicy}\"})","instant":true}],"title":"Total","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total TLSPolicy with an Ready state","gridPos":{"h":3,"w":2,"x":2,"y":1},"id":3,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_tlspolicy_status{type=\"Ready\", name=~\"${tlspolicy}\"})","instant":true}],"title":"Ready","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Target Kind"},"properties":[{"id":"custom.displayMode","value":"color-text"},{"id":"links","value":[{"title":"TLSPolicy Details","url":"/d/gatewayapigateways/gateway-api-state-gateways?var-tlspolicy=${__value.text}"}]}]}]},"gridPos":{"h":6,"w":10,"x":4,"y":1},"id":4,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_tlspolicy_target_info{name=~\"${tlspolicy}\"}","format":"table","instant":true,"range":false}],"title":"TLSPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"},{"gridPos":{"h":1,"w":24,"x":0,"y":2},"id":5,"title":"RateLimitPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total number of RateLimitPolicy across all clusters","gridPos":{"h":3,"w":2,"x":0,"y":3},"id":6,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_ratelimitpolicy_status{name=~\"${ratelimitpolicy}\"})","instant":true}],"title":"Total","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total RateLimitPolicy with an Available state","gridPos":{"h":3,"w":2,"x":2,"y":3},"id":7,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_ratelimitpolicy_status{type=\"Available\", name=~\"${ratelimitpolicy}\"})","instant":true}],"title":"Available","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Target Kind"},"properties":[{"id":"custom.displayMode","value":"color-text"},{"id":"links","value":[{"title":"RateLimitPolicy Details","url":"/d/gatewayapihttproutes/gateway-api-state-httproutes?var-ratelimitpolicy=${__value.text}"}]}]}]},"gridPos":{"h":6,"w":10,"x":4,"y":7},"id":8,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_ratelimitpolicy_target_info{name=~\"${ratelimitpolicy}\"}","format":"table","instant":true,"range":false}],"title":"RateLimitPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"},{"gridPos":{"h":1,"w":24,"x":0,"y":8},"id":9,"title":"BackendTLSPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[]},"gridPos":{"h":6,"w":10,"x":4,"y":9},"id":10,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_backendtlspolicy_target_info{name=~\"${backendtlspolicy}\"}","format":"table","instant":true,"range":false}],"title":"BackendTLSPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"}],"schemaVersion":36,"style":"dark","tags":["gateway-api","gateway-api-state"],"templating":{"list":[{"label":"Data Source","name":"datasource","query":"prometheus","type":"datasource"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"TLSPolicy","multi":true,"name":"tlspolicy","query":{"query":"label_values(gatewayapi_tlspolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"RateLimitPolicy","multi":true,"name":"ratelimitpolicy","query":{"query":"label_values(gatewayapi_ratelimitpolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"BackendTLSPolicy","multi":true,"name":"backendtlspolicy","query":{"query":"label_values(gatewayapi_backendtlspolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"}]},"time":{"from":"now-1h","to":"now"},"timezone":"utc","title":"Gateway API State / Policies","uid":"gatewayapipolicies"} + {"editable":false,"links":[{"asDropdown":false,"includeVars":true,"keepTime":true,"tags":["gateway-api-state"],"targetBlank":false,"title":"Gateway Dashboards","type":"dashboards"}],"panels":[{"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":1,"title":"TLSPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total number of TLSPolicy across all clusters","gridPos":{"h":3,"w":2,"x":0,"y":1},"id":2,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_tlspolicy_status{name=~\"${tlspolicy}\"})","instant":true}],"title":"Total","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total TLSPolicy with an Ready state","gridPos":{"h":3,"w":2,"x":2,"y":1},"id":3,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_tlspolicy_status{type=\"Ready\", name=~\"${tlspolicy}\"})","instant":true}],"title":"Ready","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Target Name"},"properties":[{"id":"custom.displayMode","value":"color-text"},{"id":"links","value":[{"title":"Gateway Details","url":"/d/gatewayapigateways/gateway-api-state-gateways?var-gateway=${__value.text}"}]}]}]},"gridPos":{"h":6,"w":10,"x":4,"y":1},"id":4,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_tlspolicy_target_info{name=~\"${tlspolicy}\"}","format":"table","instant":true,"range":false}],"title":"TLSPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"},{"gridPos":{"h":1,"w":24,"x":0,"y":2},"id":5,"title":"RateLimitPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total number of RateLimitPolicy across all clusters","gridPos":{"h":3,"w":2,"x":0,"y":3},"id":6,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_ratelimitpolicy_status{name=~\"${ratelimitpolicy}\"})","instant":true}],"title":"Total","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total RateLimitPolicy with an Available state","gridPos":{"h":3,"w":2,"x":2,"y":3},"id":7,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_ratelimitpolicy_status{type=\"Available\", name=~\"${ratelimitpolicy}\"})","instant":true}],"title":"Available","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Target Name"},"properties":[{"id":"custom.displayMode","value":"color-text"},{"id":"links","value":[{"title":"HTTPRoute Details","url":"/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}"}]}]}]},"gridPos":{"h":6,"w":10,"x":4,"y":7},"id":8,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_ratelimitpolicy_target_info{name=~\"${ratelimitpolicy}\"}","format":"table","instant":true,"range":false}],"title":"RateLimitPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"},{"gridPos":{"h":1,"w":24,"x":0,"y":8},"id":9,"title":"AuthPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total number of AuthPolicy across all clusters","gridPos":{"h":3,"w":2,"x":0,"y":9},"id":10,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_authpolicy_status{name=~\"${authpolicy}\"})","instant":true}],"title":"Total","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"description":"Total AuthPolicy with an Available state","gridPos":{"h":3,"w":2,"x":2,"y":9},"id":11,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"count(gatewayapi_authpolicy_status{type=\"Available\", name=~\"${authpolicy}\"})","instant":true}],"title":"Available","type":"stat"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[{"matcher":{"id":"byName","options":"Target Name"},"properties":[{"id":"custom.displayMode","value":"color-text"},{"id":"links","value":[{"title":"HTTPRoute Details","url":"/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}"}]}]}]},"gridPos":{"h":6,"w":10,"x":4,"y":9},"id":12,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_authpolicy_target_info{name=~\"${authpolicy}\"}","format":"table","instant":true,"range":false}],"title":"AuthPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"},{"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"title":"BackendTLSPolicy","type":"row"},{"datasource":{"type":"prometheus","uid":"$datasource"},"fieldConfig":{"overrides":[]},"gridPos":{"h":6,"w":10,"x":4,"y":10},"id":14,"pluginVersion":"v10.0.0","targets":[{"datasource":{"type":"prometheus","uid":"$datasource"},"expr":"gatewayapi_backendtlspolicy_target_info{name=~\"${backendtlspolicy}\"}","format":"table","instant":true,"range":false}],"title":"BackendTLSPolicy","transformations":[{"id":"filterFieldsByName","options":{"include":{"names":["name","target_kind","target_name"]}}},{"id":"organize","options":{"renameByName":{"name":"Name","target_kind":"Target Kind","target_name":"Target Name"}}}],"type":"table"}],"schemaVersion":36,"style":"dark","tags":["gateway-api","gateway-api-state"],"templating":{"list":[{"label":"Data Source","name":"datasource","query":"prometheus","type":"datasource"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"TLSPolicy","multi":true,"name":"tlspolicy","query":{"query":"label_values(gatewayapi_tlspolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"RateLimitPolicy","multi":true,"name":"ratelimitpolicy","query":{"query":"label_values(gatewayapi_ratelimitpolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"AuthPolicy","multi":true,"name":"authpolicy","query":{"query":"label_values(gatewayapi_authpolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"},{"datasource":{"type":"prometheus","uid":"${datasource}"},"includeAll":true,"label":"BackendTLSPolicy","multi":true,"name":"backendtlspolicy","query":{"query":"label_values(gatewayapi_backendtlspolicy_created, name)","refId":"StandardVariableQuery"},"regex":"/(.*)/","type":"query"}]},"time":{"from":"now-1h","to":"now"},"timezone":"utc","title":"Gateway API State / Policies","uid":"gatewayapipolicies"} diff --git a/config/examples/kube-prometheus/bundle.yaml b/config/examples/kube-prometheus/bundle.yaml index 3fa64e1..34d60f4 100644 --- a/config/examples/kube-prometheus/bundle.yaml +++ b/config/examples/kube-prometheus/bundle.yaml @@ -1593,6 +1593,59 @@ data: target_kind: ["kind"] target_name: ["name"] target_namespace: ["namespace"] + - groupVersionKind: + group: kuadrant.io + kind: "AuthPolicy" + version: "v1beta2" + metricNamePrefix: gatewayapi_authpolicy + labelsFromPath: + name: + - metadata + - name + namespace: + - metadata + - namespace + metrics: + - name: "labels" + help: "Kubernetes labels converted to Prometheus labels." + each: + type: Info + info: + path: [metadata] + labelsFromPath: + "*": [labels] + - name: "created" + help: "created timestamp" + each: + type: Gauge + gauge: + path: [metadata, creationTimestamp] + - name: "deleted" + help: "deletion timestamp" + each: + type: Gauge + gauge: + path: [metadata, deletionTimestamp] + - name: "target_info" + help: "Target references that the authpolicy wants to be attached to" + each: + type: Info + info: + path: [spec, targetRef] + labelsFromPath: + target_group: ["group"] + target_kind: ["kind"] + target_name: ["name"] + target_namespace: ["namespace"] + - name: "status" + help: "status condition" + each: + type: Gauge + gauge: + path: [status, conditions] + labelsFromPath: + type: ["type"] + valueFrom: ["status"] kind: ConfigMap metadata: name: custom-resource-state @@ -41289,7 +41342,7 @@ data: { "matcher": { "id": "byName", - "options": "Target Kind" + "options": "Target Name" }, "properties": [ { @@ -41300,8 +41353,8 @@ data: "id": "links", "value": [ { - "title": "TLSPolicy Details", - "url": "/d/gatewayapigateways/gateway-api-state-gateways?var-tlspolicy=${__value.text}" + "title": "Gateway Details", + "url": "/d/gatewayapigateways/gateway-api-state-gateways?var-gateway=${__value.text}" } ] } @@ -41431,7 +41484,7 @@ data: { "matcher": { "id": "byName", - "options": "Target Kind" + "options": "Target Name" }, "properties": [ { @@ -41442,8 +41495,8 @@ data: "id": "links", "value": [ { - "title": "RateLimitPolicy Details", - "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-ratelimitpolicy=${__value.text}" + "title": "HTTPRoute Details", + "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}" } ] } @@ -41506,6 +41559,148 @@ data: "y": 8 }, "id": 9, + "title": "AuthPolicy", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total number of AuthPolicy across all clusters", + "gridPos": { + "h": 3, + "w": 2, + "x": 0, + "y": 9 + }, + "id": 10, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_authpolicy_status{name=~\"${authpolicy}\"})", + "instant": true + } + ], + "title": "Total", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "description": "Total AuthPolicy with an Available state", + "gridPos": { + "h": 3, + "w": 2, + "x": 2, + "y": 9 + }, + "id": 11, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "count(gatewayapi_authpolicy_status{type=\"Available\", name=~\"${authpolicy}\"})", + "instant": true + } + ], + "title": "Available", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Target Name" + }, + "properties": [ + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "links", + "value": [ + { + "title": "HTTPRoute Details", + "url": "/d/gatewayapihttproutes/gateway-api-state-httproutes?var-httproute=${__value.text}" + } + ] + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 10, + "x": 4, + "y": 9 + }, + "id": 12, + "pluginVersion": "v10.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "expr": "gatewayapi_authpolicy_target_info{name=~\"${authpolicy}\"}", + "format": "table", + "instant": true, + "range": false + } + ], + "title": "AuthPolicy", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "name", + "target_kind", + "target_name" + ] + } + } + }, + { + "id": "organize", + "options": { + "renameByName": { + "name": "Name", + "target_kind": "Target Kind", + "target_name": "Target Name" + } + } + } + ], + "type": "table" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 13, "title": "BackendTLSPolicy", "type": "row" }, @@ -41521,9 +41716,9 @@ data: "h": 6, "w": 10, "x": 4, - "y": 9 + "y": 10 }, - "id": 10, + "id": 14, "pluginVersion": "v10.0.0", "targets": [ { @@ -41611,6 +41806,22 @@ data: "regex": "/(.*)/", "type": "query" }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "includeAll": true, + "label": "AuthPolicy", + "multi": true, + "name": "authpolicy", + "query": { + "query": "label_values(gatewayapi_authpolicy_created, name)", + "refId": "StandardVariableQuery" + }, + "regex": "/(.*)/", + "type": "query" + }, { "datasource": { "type": "prometheus", @@ -41639,7 +41850,7 @@ data: } kind: ConfigMap metadata: - name: grafana-policies-7kt676htbd + name: grafana-policies-tc54tb8694 namespace: monitoring --- @@ -44394,7 +44605,7 @@ spec: name: grafana-tlsroutes - configMap: defaultMode: 420 - name: grafana-policies-7kt676htbd + name: grafana-policies-tc54tb8694 name: grafana-policies - configMap: defaultMode: 420 diff --git a/config/kuadrant/clusterrole-patch.yaml b/config/kuadrant/clusterrole-patch.yaml index 684cf2e..029dbde 100644 --- a/config/kuadrant/clusterrole-patch.yaml +++ b/config/kuadrant/clusterrole-patch.yaml @@ -16,6 +16,7 @@ resources: - tlspolicies - ratelimitpolicies + - authpolicies verbs: - list - watch diff --git a/config/kuadrant/crd/kuadrant.io_authpolicies.yaml b/config/kuadrant/crd/kuadrant.io_authpolicies.yaml new file mode 100644 index 0000000..33bb54b --- /dev/null +++ b/config/kuadrant/crd/kuadrant.io_authpolicies.yaml @@ -0,0 +1,2541 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: authpolicies.kuadrant.io +spec: + group: kuadrant.io + names: + kind: AuthPolicy + listKind: AuthPolicyList + plural: authpolicies + singular: authpolicy + scope: Namespaced + versions: + - name: v1beta2 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + routes: + description: 'Route rules specify the HTTP route attributes that trigger + the external authorization service TODO(@guicassolato): remove – + conditions to trigger the ext-authz service will be computed from + `routeSelectors`' + items: + properties: + hosts: + items: + type: string + type: array + methods: + items: + type: string + type: array + paths: + items: + type: string + type: array + type: object + type: array + rules: + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. + properties: + authentication: + additionalProperties: + properties: + anonymous: + description: Anonymous access. + type: object + apiKey: + description: Authentication based on API keys stored in + Kubernetes secrets. + properties: + allNamespaces: + default: false + description: Whether Authorino should look for API key + secrets in all namespaces or only in the same namespace + as the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing valid credentials + to authenticate to this service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + credentials: + description: Defines where credentials are required to be + passed in the request for authentication based on this + config. If omitted, it defaults to credentials passed + in the HTTP Authorization header and the "Bearer" prefix + prepended to the secret credential value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + defaults: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Set default property values (claims) for the + resolved identity object, that are set before appending + the object to the authorization JSON. If the property + is already present in the resolved identity object, the + default value is ignored. It requires the resolved identity + object to always be a JSON object. Do not use this option + with identity objects of other JSON types (array, string, + etc). + type: object + jwt: + description: Authentication based on JWT tokens. + properties: + issuerUrl: + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to the + OpenID Connect Well-Known Discovery endpoint (i.e. + "/.well-known/openid-configuration") to this URL, + to discover the OIDC configuration where to obtain + the "jkws_uri" claim from. The value must coincide + with the value of the "iss" (issuer) claim of the + discovered OpenID Connect configuration. + type: string + ttl: + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. + type: integer + type: object + kubernetesTokenReview: + description: Authentication by Kubernetes token review. + properties: + audiences: + description: The list of audiences (scopes) that must + be claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name + of the requested protected service amongst the audiences. + items: + type: string + type: array + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + oauth2Introspection: + description: Authentication by OAuth2 token introspection. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the OAuth2 server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: The full URL of the token introspection + endpoint. + type: string + tokenTypeHint: + description: The token type hint for the token introspection. + If omitted, it defaults to "access_token". + type: string + required: + - credentialsRef + - endpoint + type: object + overrides: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Overrides the resolved identity object by setting + the additional properties (claims) specified in this config, + before appending the object to the authorization JSON. + It requires the resolved identity object to always be + a JSON object. Do not use this option with identity objects + of other JSON types (array, string, etc). + type: object + plain: + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve to + patterns (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + required: + - selector + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + x509: + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be signed + by a trusted CA whose certificates are stored in Kubernetes + secrets. + properties: + allNamespaces: + default: false + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as + the AuthConfig. Enabling this option in namespaced + Authorino instances has no effect. + type: boolean + selector: + description: Label selector used by Authorino to match + secrets from the cluster storing trusted CA certificates + to validate clients trying to authenticate to this + service + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request to + be successful. + type: object + authorization: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + kubernetesSubjectAccessReview: + description: Authorization by Kubernetes SubjectAccessReview + properties: + groups: + description: Groups the user must be a member of or, + if `user` is omitted, the groups to check for authorization + in the Kubernetes RBAC. + items: + type: string + type: array + resourceAttributes: + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs a + non-resource SubjectAccessReview, with verb and path + inferred from the request. + properties: + group: + description: API group of the resource. Use '*' + for all API groups. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + description: Resource name Omit it to check for + authorization on all resources of the specified + kind. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + namespace: + description: Namespace where the user must have + permissions on the resource. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: Resource kind Use '*' for all resource + kinds. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + subresource: + description: Subresource kind + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + verb: + description: Verb to check for authorization on + the resource. Use '*' for all verbs. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + user: + description: User to check for authorization in the + Kubernetes RBAC. Omit it to check for group authorization + only. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + opa: + description: Open Policy Agent (OPA) Rego policy. + properties: + allValues: + default: false + description: Returns the value of all Rego rules in + the virtual document. Values can be read in subsequent + evaluators/phases of the Auth Pipeline. Otherwise, + only the default `allow` rule will be exposed. Returning + all Rego rules can affect performance of OPA policies + during reconciliation (policy precompile) and at runtime. + type: boolean + externalPolicy: + description: 'Settings for fetching the OPA policy from + an external registry. Use it alternatively to ''rego''. + For the configurations of the HTTP request, the following + options are not implemented: ''method'', ''body'', + ''bodyParameters'', ''contentType'', ''headers'', + ''oauth2''. Use it only with: ''url'', ''sharedSecret'', + ''credentials''.' + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service + by OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret + key that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the + Authorino's namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the + requests to the token URL. + type: object + scopes: + description: Optional scopes for the client + credentials grant, if supported by he OAuth2 + server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 + resource server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + ttl: + description: Duration (in seconds) of the external + data in the cache before pulled again from the + source. + type: integer + url: + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + rego: + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). The + Rego document must NOT include the "package" declaration + in line 1. + type: string + type: object + patternMatching: + description: Pattern-matching authorization rules. + properties: + patterns: + items: + properties: + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - patterns + type: object + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + spicedb: + description: Authorization decision delegated to external + Authzed/SpiceDB server. + properties: + endpoint: + description: Hostname and port number to the GRPC interface + of the SpiceDB server (e.g. spicedb:50051). + type: string + insecure: + description: Insecure HTTP connection (i.e. disables + TLS verification) + type: boolean + permission: + description: The name of the permission (or relation) + on which to execute the check. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + resource: + description: The resource on which to check the permission + or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be used by Authorino to authenticate with the Authzed + service. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + subject: + description: The subject that will be checked for the + permission or relation. + properties: + kind: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + name: + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - endpoint + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. + type: object + callbacks: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: Settings of the external HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + required: + - http + type: object + description: Callback functions. Authorino sends callbacks at + the end of the auth pipeline to the endpoints specified in this + config. + type: object + metadata: + additionalProperties: + properties: + cache: + description: Caching options for the resolved object returned + when applying this config. Omit it to avoid caching objects + for this config. + properties: + key: + description: Key used to store the entry in the cache. + The resolved key must be unique within the scope of + this particular config. + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external data + in the cache before pulled again from the source. + type: integer + required: + - key + type: object + http: + description: External source of auth metadata via HTTP request + properties: + body: + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. Use + it with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders can + be used). + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + bodyParameters: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom parameters to encode in the body + of the HTTP request. Superseded by 'body'; use either + one or the other. Use it with method=POST; for GET + requests, set parameters as query string in the 'endpoint' + (placeholders can be used). + type: object + contentType: + default: application/x-www-form-urlencoded + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set + to 'text/plain'. + enum: + - application/x-www-form-urlencoded + - application/json + type: string + credentials: + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. + properties: + authorizationHeader: + properties: + prefix: + type: string + type: object + cookie: + properties: + name: + type: string + required: + - name + type: object + customHeader: + properties: + name: + type: string + required: + - name + type: object + queryString: + properties: + name: + type: string + required: + - name + type: object + type: object + headers: + additionalProperties: + properties: + selector: + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Custom headers in the HTTP request. + type: object + method: + default: GET + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in + the body of the request.' + enum: + - GET + - POST + - PUT + - PATCH + - DELETE + - HEAD + - OPTIONS + - CONNECT + - TRACE + type: string + oauth2: + description: Authentication with the HTTP service by + OAuth2 Client Credentials grant. + properties: + cache: + default: true + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. + type: boolean + clientId: + description: OAuth2 Client ID. + type: string + clientSecretRef: + description: Reference to a Kuberentes Secret key + that stores that OAuth2 Client Secret. + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + extraParams: + additionalProperties: + type: string + description: Optional extra parameters for the requests + to the token URL. + type: object + scopes: + description: Optional scopes for the client credentials + grant, if supported by he OAuth2 server. + items: + type: string + type: array + tokenUrl: + description: Token endpoint URL of the OAuth2 resource + server. + type: string + required: + - clientId + - clientSecretRef + - tokenUrl + type: object + sharedSecretRef: + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. Ignored if used together with oauth2. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: The name of the secret in the Authorino's + namespace to select from. + type: string + required: + - key + - name + type: object + url: + description: Endpoint URL of the HTTP service. The value + can include variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. + https://ext-auth-server.io/metadata?p={request.path} + type: string + required: + - url + type: object + metrics: + default: false + description: Whether this config should generate individual + observability metrics + type: boolean + priority: + default: 0 + description: Priority group of the config. All configs in + the same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. + type: integer + uma: + description: User-Managed Access (UMA) source of resource + data. + properties: + credentialsRef: + description: Reference to a Kubernetes secret in the + same namespace, that stores client credentials to + the resource registration API of the UMA server. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + endpoint: + description: The endpoint of the UMA server. The value + must coincide with the "issuer" claim of the UMA config + discovered from the well-known uma configuration endpoint. + type: string + required: + - credentialsRef + - endpoint + type: object + userInfo: + description: OpendID Connect UserInfo linked to an OIDC + authentication config specified in this same AuthConfig. + properties: + identitySource: + description: The name of an OIDC-enabled JWT authentication + config whose OpenID Connect configuration discovered + includes the OIDC "userinfo_endpoint" claim. + type: string + required: + - identitySource + type: object + when: + description: Conditions for Authorino to enforce this config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to + be enforced; otherwise, the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern expressions + type: string + selector: + description: Path selector to fetch content from the + authorization JSON (e.g. 'request.method'). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. + type: string + type: object + type: array + type: object + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. + type: object + patterns: + additionalProperties: + items: + properties: + operator: + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + selector: + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. Authorino custom JSON path modifiers are also + supported. + type: string + value: + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. + type: string + type: object + type: array + description: Named sets of patterns that can be referred in `when` + conditions and in pattern-matching authorization policy rules. + type: object + response: + description: Response items. Authorino builds custom responses + to the client of the auth request. + properties: + success: + description: Response items to be included in the auth response + when the request is authenticated and authorized. For integration + of Authorino via proxy, the proxy must use these settings + to propagate dynamic metadata and/or inject data in the + request. + properties: + dynamicMetadata: + additionalProperties: + description: Settings of the success custom response + item. + properties: + cache: + description: Caching options for the resolved object + returned when applying this config. Omit it to + avoid caching objects for this config. + properties: + key: + description: Key used to store the entry in + the cache. The resolved key must be unique + within the scope of this particular config. + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + ttl: + default: 60 + description: Duration (in seconds) of the external + data in the cache before pulled again from + the source. + type: integer + required: + - key + type: object + json: + description: JSON object Specify it as the list + of properties of the object, whose values can + combine static values and values selected from + the authorization JSON. + properties: + properties: + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + required: + - properties + type: object + key: + description: The key used to add the custom response + item (name of the HTTP header or root property + of the Dynamic Metadata object). If omitted, it + will be set to the name of the response config. + type: string + metrics: + default: false + description: Whether this config should generate + individual observability metrics + type: boolean + plain: + description: Plain text content + properties: + selector: + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + priority: + default: 0 + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. + type: integer + when: + description: Conditions for Authorino to enforce + this config. If omitted, the config will be enforced + for all requests. If present, all conditions must + match for the config to be enforced; otherwise, + the config will be skipped. + items: + properties: + operator: + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' + enum: + - eq + - neq + - incl + - excl + - matches + type: string + patternRef: + description: Reference to a named set of pattern + expressions + type: string + selector: + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. + type: string + value: + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. + type: string + type: object + type: array + wristband: + description: Authorino Festival Wristband token + properties: + customClaims: + additionalProperties: + properties: + selector: + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object + description: Any claims to be added to the wristband + token apart from the standard JWT claims (iss, + iat, exp) added by default. + type: object + issuer: + description: 'The endpoint to the Authorino + service that issues the wristband (format: + ://:/, where + = /://:/, where + = /