From de93c5ac469c2a21465655b8253a9d8e7cad457d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:11:54 +0000 Subject: [PATCH 01/31] build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 461d1528..656eb61d 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( golang.org/x/oauth2 v0.11.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d google.golang.org/grpc v1.59.0 - google.golang.org/protobuf v1.31.0 + google.golang.org/protobuf v1.33.0 gopkg.in/square/go-jose.v2 v2.5.1 gotest.tools v2.2.0+incompatible k8s.io/api v0.28.3 diff --git a/go.sum b/go.sum index aa1eeff0..21bc3e3f 100644 --- a/go.sum +++ b/go.sum @@ -757,8 +757,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 05aa9cf6c557cc78b10b753bbab5655a1a478daf Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Tue, 14 May 2024 12:26:47 +0200 Subject: [PATCH 02/31] Upgrade Go version to 1.21 --- .github/workflows/code-style.yaml | 8 ++++---- .github/workflows/e2e-test.yaml | 2 +- .github/workflows/go-test.yaml | 2 +- .github/workflows/integration-test.yaml | 2 +- Dockerfile | 2 +- docs/contributing.md | 2 +- docs/getting-started.md | 2 +- go.mod | 2 +- go.sum | 23 +++++++++++++++++++++++ 9 files changed, 34 insertions(+), 11 deletions(-) diff --git a/.github/workflows/code-style.yaml b/.github/workflows/code-style.yaml index 38344971..bdbb5c9c 100644 --- a/.github/workflows/code-style.yaml +++ b/.github/workflows/code-style.yaml @@ -40,10 +40,10 @@ jobs: importpath: golang.org/x/tools/cmd/goimports@latest steps: - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x id: go - name: Check out code @@ -88,10 +88,10 @@ jobs: runs-on: ubuntu-latest steps: - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x id: go - name: Check out code diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index e6e0f7f8..50597460 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -13,7 +13,7 @@ jobs: name: End-to-end Tests strategy: matrix: - go-version: [1.20.x] + go-version: [1.21.x] platform: [ubuntu-latest] authconfig_version: [v1beta1, v1beta2] runs-on: ${{ matrix.platform }} diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index 00189c04..1676b208 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -12,7 +12,7 @@ jobs: name: Unit Tests strategy: matrix: - go-version: [1.20.x] + go-version: [1.21.x] platform: [ubuntu-latest] runs-on: ${{ matrix.platform }} defaults: diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 052319d1..7c38c993 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -12,7 +12,7 @@ jobs: name: Smoke Tests strategy: matrix: - go-version: [1.20.x] + go-version: [1.21.x] platform: [ubuntu-latest] runs-on: ${{ matrix.platform }} if: ${{ github.event.workflow_run.conclusion == 'success' }} diff --git a/Dockerfile b/Dockerfile index 70d7a8f7..f4a4f541 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Build the authorino binary # https://catalog.redhat.com/software/containers/ubi9/go-toolset -FROM registry.access.redhat.com/ubi9/go-toolset:1.20 AS builder +FROM registry.access.redhat.com/ubi9/go-toolset:1.21 AS builder USER root WORKDIR /usr/src/authorino COPY ./ ./ diff --git a/docs/contributing.md b/docs/contributing.md index 5f59a61e..e09b10eb 100644 --- a/docs/contributing.md +++ b/docs/contributing.md @@ -4,7 +4,7 @@ Minimum requirements to contribute to Authorino are: -- [Golang v1.20+](https://golang.org) +- [Golang v1.21+](https://golang.org) - [Docker](https://docker.com) Authorino's code was originally bundled using the [Operator SDK](https://sdk.operatorframework.io/) (v1.9.0). diff --git a/docs/getting-started.md b/docs/getting-started.md index 66ae049b..40fc1ae5 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -10,7 +10,7 @@ If you prefer learning with an example, check out our [Hello World](./user-guide These are the platform requirements to use Authorino: -- [**Kubernetes**](https://kubernetes.io) server (recommended v1.20 or later), with permission to create Kubernetes Custom Resource Definitions (CRDs) (for bootstrapping Authorino and Authorino Operator) +- [**Kubernetes**](https://kubernetes.io) server (recommended v1.21 or later), with permission to create Kubernetes Custom Resource Definitions (CRDs) (for bootstrapping Authorino and Authorino Operator)
Alternative: K8s distros and platforms diff --git a/go.mod b/go.mod index 656eb61d..d67b2735 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/kuadrant/authorino -go 1.20 +go 1.21 require ( github.com/authzed/authzed-go v0.7.0 diff --git a/go.sum b/go.sum index 21bc3e3f..c673e513 100644 --- a/go.sum +++ b/go.sum @@ -2,7 +2,9 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= @@ -43,6 +45,7 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= +github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -51,6 +54,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b h1:L/QXpzIa3pOvUGt1D1lA5KjYhPBAN/3iWdP7xeFS9F0= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= @@ -87,8 +91,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.0.3/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= @@ -98,6 +104,7 @@ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= @@ -128,6 +135,7 @@ github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSw github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= +github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -170,6 +178,7 @@ github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= @@ -186,6 +195,7 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -213,9 +223,11 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -233,6 +245,7 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -310,12 +323,14 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -335,6 +350,7 @@ github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zk github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= @@ -365,6 +381,7 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= @@ -375,7 +392,9 @@ github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.15.0/go.mod h1:hF8qUzuuC8DJGygJH3726JnCZX4MYbRB8yFfISqnKUg= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -383,6 +402,7 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/open-policy-agent/opa v0.52.0 h1:Rv3F+VCDqsufaiYy/3S9/Iuk0yfcREK4iZmWbNsKZjA= github.com/open-policy-agent/opa v0.52.0/go.mod h1:2n99s7WY/BXZUWUOq10JdTgK+G6XM4FYGoe7kQ5Vg0s= @@ -452,6 +472,7 @@ github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqn github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -559,6 +580,7 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= @@ -706,6 +728,7 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg= +golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From e9b6bf5527ae4b0c0bc274fcc8ae107470871576 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Tue, 14 May 2024 12:32:27 +0200 Subject: [PATCH 03/31] Bump OPA to v0.64.1 (latest) --- go.mod | 67 ++++++++++----------- go.sum | 187 ++++++++++++++++++++++++++++++--------------------------- 2 files changed, 132 insertions(+), 122 deletions(-) diff --git a/go.mod b/go.mod index d67b2735..cda41a42 100644 --- a/go.mod +++ b/go.mod @@ -8,16 +8,16 @@ require ( github.com/coocood/freecache v1.1.1 github.com/coreos/go-oidc v2.2.1+incompatible github.com/eko/gocache v1.2.0 - github.com/envoyproxy/go-control-plane v0.11.1 - github.com/go-logr/logr v1.3.0 + github.com/envoyproxy/go-control-plane v0.12.0 + github.com/go-logr/logr v1.4.1 github.com/gogo/googleapis v1.4.0 github.com/golang-jwt/jwt v3.2.2+incompatible github.com/golang/mock v1.6.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/hashicorp/go-multierror v1.1.1 - github.com/open-policy-agent/opa v0.52.0 - github.com/prometheus/client_golang v1.16.0 - github.com/spf13/cobra v1.7.0 + github.com/open-policy-agent/opa v0.64.1 + github.com/prometheus/client_golang v1.19.0 + github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 github.com/tidwall/gjson v1.14.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 @@ -27,10 +27,10 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 go.opentelemetry.io/otel/sdk v1.21.0 go.uber.org/zap v1.25.0 - golang.org/x/net v0.18.0 - golang.org/x/oauth2 v0.11.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d - google.golang.org/grpc v1.59.0 + golang.org/x/net v0.24.0 + golang.org/x/oauth2 v0.17.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de + google.golang.org/grpc v1.63.2 google.golang.org/protobuf v1.33.0 gopkg.in/square/go-jose.v2 v2.5.1 gotest.tools v2.2.0+incompatible @@ -45,21 +45,22 @@ require ( github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/go-ini/ini v1.67.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect + github.com/gorilla/mux v1.8.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/spaolacci/murmur3 v1.1.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect - go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/otel/metric v1.21.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect - golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect + google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect ) require ( @@ -72,23 +73,22 @@ require ( github.com/certifi/gocertifi v0.0.0-20210507211836-431795d63e8d // indirect github.com/cespare/xxhash v1.1.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.2 // indirect + github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/ghodss/yaml v1.0.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.2.4 // indirect github.com/go-redis/redis/v8 v8.11.5 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 + github.com/golang/protobuf v1.5.4 github.com/google/go-cmp v0.6.0 github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.1 + github.com/google/uuid v1.6.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -96,35 +96,34 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/jzelinskie/stringz v0.0.0-20210414224931-d6a8ce844a70 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/pegasus-kv/thrift v0.13.0 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.44.0 // indirect - github.com/prometheus/procfs v0.10.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.48.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect - github.com/sirupsen/logrus v1.9.0 // indirect - github.com/spf13/cast v1.4.1 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/spf13/cast v1.6.0 // indirect github.com/stretchr/testify v1.8.4 github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect - github.com/yashtewari/glob-intersection v0.1.0 // indirect + github.com/yashtewari/glob-intersection v0.2.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 go.opentelemetry.io/otel/trace v1.21.0 go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect - golang.org/x/time v0.3.0 // indirect + golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.7 // indirect + google.golang.org/appengine v1.6.8 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect @@ -136,5 +135,5 @@ require ( k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index c673e513..3611d3d3 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= -cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= -cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM= +cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= +cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= @@ -71,8 +71,8 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= -github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= +github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/coocood/freecache v1.1.1 h1:uukNF7QKCZEdZ9gAV7WQzvh0SbjwdMF6m3x3rxEkaPc= @@ -83,13 +83,14 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.0.3/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= @@ -119,11 +120,11 @@ github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4s github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM= -github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= +github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= +github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= -github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= +github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= +github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -134,17 +135,20 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= -github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= +github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= @@ -156,8 +160,8 @@ github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= -github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= @@ -194,11 +198,10 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= -github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68= +github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -215,12 +218,12 @@ github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:x github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -234,10 +237,9 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= @@ -249,15 +251,16 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= @@ -322,8 +325,8 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= -github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= +github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= @@ -346,11 +349,9 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= -github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= @@ -404,8 +405,8 @@ github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= -github.com/open-policy-agent/opa v0.52.0 h1:Rv3F+VCDqsufaiYy/3S9/Iuk0yfcREK4iZmWbNsKZjA= -github.com/open-policy-agent/opa v0.52.0/go.mod h1:2n99s7WY/BXZUWUOq10JdTgK+G6XM4FYGoe7kQ5Vg0s= +github.com/open-policy-agent/opa v0.64.1 h1:n8IJTYlFWzqiOYx+JiawbErVxiqAyXohovcZxYbskxQ= +github.com/open-policy-agent/opa v0.64.1/go.mod h1:j4VeLorVpKipnkQ2TDjWshEuV3cvP/rHzQhYaraUXZY= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= @@ -430,8 +431,9 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac h1:jWKYCNlX4J5s8M0nHYkh7Y7c9gRVDEb3mq51j5J0F5M= github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ= @@ -441,31 +443,31 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.10.0/go.mod h1:WJM3cc3yu7XKBKa/I8WeZm+V3eltZnBwfENSU7mdogU= -github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= -github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= +github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.1.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= -github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.18.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= +github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= -github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= @@ -482,8 +484,8 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= @@ -494,11 +496,11 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI= github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA= -github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= +github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -538,11 +540,12 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= -github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= +github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -600,11 +603,12 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= -golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -615,6 +619,9 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -638,15 +645,16 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= -golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= -golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= +golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -656,6 +664,7 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -687,24 +696,29 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -727,8 +741,9 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg= -golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8= +golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -739,21 +754,21 @@ google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMt google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= +google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0= +google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= @@ -766,18 +781,14 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= -google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= +google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= @@ -853,6 +864,6 @@ sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:w sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= From 38fd5aaffc87cfa7793ff45cabaf0ace94ab287f Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Mon, 3 Jun 2024 10:18:47 +0200 Subject: [PATCH 04/31] Merge pull request #467 from modassarrana89/main Added support for s390x & ppcl64e architecture --- .github/workflows/build-images.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml index 58f75c03..be9a9458 100644 --- a/.github/workflows/build-images.yaml +++ b/.github/workflows/build-images.yaml @@ -38,17 +38,15 @@ jobs: else echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV fi - - name: Install qemu dependency - run: | - sudo apt-get update - sudo apt-get install -y qemu-user-static + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - name: Build Image id: build-image uses: redhat-actions/buildah-build@v2 with: image: authorino tags: ${{ env.IMG_TAGS }} - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le build-args: | version=${{ env.VERSION }} containerfiles: | From dc90ac837c3babc6afe6e1e5aacb64fe84c58088 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Mon, 3 Jun 2024 15:48:37 +0200 Subject: [PATCH 05/31] Merge pull request #470 from Kuadrant/bump-go-jose Upgrade go-jose dependency --- controllers/auth_config_controller.go | 2 +- go.mod | 3 ++- go.sum | 2 ++ pkg/evaluators/response/wristband.go | 2 +- pkg/evaluators/response/wristband_test.go | 2 +- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index c9f5d8de..fd0f89e9 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -36,8 +36,8 @@ import ( "github.com/kuadrant/authorino/pkg/oauth2" "github.com/kuadrant/authorino/pkg/utils" + "github.com/go-jose/go-jose/v4" "github.com/go-logr/logr" - "gopkg.in/square/go-jose.v2" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/go.mod b/go.mod index cda41a42..65e16243 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible github.com/eko/gocache v1.2.0 github.com/envoyproxy/go-control-plane v0.12.0 + github.com/go-jose/go-jose/v4 v4.0.2 github.com/go-logr/logr v1.4.1 github.com/gogo/googleapis v1.4.0 github.com/golang-jwt/jwt v3.2.2+incompatible @@ -32,7 +33,6 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de google.golang.org/grpc v1.63.2 google.golang.org/protobuf v1.33.0 - gopkg.in/square/go-jose.v2 v2.5.1 gotest.tools v2.2.0+incompatible k8s.io/api v0.28.3 k8s.io/apimachinery v0.28.3 @@ -61,6 +61,7 @@ require ( golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect + gopkg.in/square/go-jose.v2 v2.5.1 // indirect ) require ( diff --git a/go.sum b/go.sum index 3611d3d3..1a265203 100644 --- a/go.sum +++ b/go.sum @@ -149,6 +149,8 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= diff --git a/pkg/evaluators/response/wristband.go b/pkg/evaluators/response/wristband.go index 563717b1..db811703 100644 --- a/pkg/evaluators/response/wristband.go +++ b/pkg/evaluators/response/wristband.go @@ -13,8 +13,8 @@ import ( "github.com/kuadrant/authorino/pkg/evaluators/identity" "github.com/kuadrant/authorino/pkg/json" + jose "github.com/go-jose/go-jose/v4" "github.com/golang-jwt/jwt" - jose "gopkg.in/square/go-jose.v2" ) const DEFAULT_WRISTBAND_DURATION = int64(300) diff --git a/pkg/evaluators/response/wristband_test.go b/pkg/evaluators/response/wristband_test.go index 732ca9cc..354ee91e 100644 --- a/pkg/evaluators/response/wristband_test.go +++ b/pkg/evaluators/response/wristband_test.go @@ -12,8 +12,8 @@ import ( "github.com/kuadrant/authorino/pkg/json" envoy_auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + jose "github.com/go-jose/go-jose/v4" "github.com/golang/mock/gomock" - jose "gopkg.in/square/go-jose.v2" "gotest.tools/assert" ) From 68303f94a88ae50538933173252827471395fcdf Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Fri, 28 Jun 2024 19:19:13 +0200 Subject: [PATCH 06/31] docs/tests: generate 4096-bit cert keys and use sha512 algorithms in the openssl docs examples and mtls test cases to avoid false-positive security flagging --- docs/user-guides/mtls-authentication.md | 40 ++++++++++++------------- pkg/evaluators/identity/mtls_test.go | 2 +- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/docs/user-guides/mtls-authentication.md b/docs/user-guides/mtls-authentication.md index a9bc86a6..617cdf5f 100644 --- a/docs/user-guides/mtls-authentication.md +++ b/docs/user-guides/mtls-authentication.md @@ -108,9 +108,9 @@ kubectl apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/m Create a CA (Certificate Authority) certificate to issue the client certificates that will be used to authenticate clients that send requests to the Talker API: ```sh -openssl req -x509 -sha256 -nodes \ +openssl req -x509 -sha512 -nodes \ -days 365 \ - -newkey rsa:2048 \ + -newkey rsa:4096 \ -subj "/CN=talker-api-ca" \ -addext basicConstraints=CA:TRUE \ -addext keyUsage=digitalSignature,keyCertSign \ @@ -157,7 +157,7 @@ data: - address: socket_address: address: 0.0.0.0 - port_value: 8000 + port_value: 8443 filter_chains: - transport_socket: name: envoy.transport_sockets.tls @@ -265,7 +265,7 @@ spec: image: envoyproxy/envoy:v1.19-latest name: envoy ports: - - containerPort: 8000 + - containerPort: 8443 name: web - containerPort: 8001 name: admin @@ -305,7 +305,7 @@ spec: app: envoy ports: - name: web - port: 8000 + port: 8443 protocol: TCP --- apiVersion: networking.k8s.io/v1 @@ -320,16 +320,16 @@ spec: - backend: service: name: envoy - port: { number: 8000 } + port: { number: 8443 } path: / pathType: Prefix EOF ``` -The command above creates an `Ingress` with host name `talker-api.127.0.0.1.nip.io`. If you are using a local Kubernetes cluster created with Kind, forward requests from your local port 8000 to the Envoy service running inside the cluster: +The command above creates an `Ingress` with host name `talker-api.127.0.0.1.nip.io`. If you are using a local Kubernetes cluster created with Kind, forward requests from your local port 8443 to the Envoy service running inside the cluster: ```sh -kubectl port-forward deployment/envoy 8000:8000 2>&1 >/dev/null & +kubectl port-forward deployment/envoy 8443:8443 2>&1 >/dev/null & ``` ## ❻ Create the `AuthConfig` @@ -378,22 +378,22 @@ EOF With a TLS certificate signed by the trusted CA: ```sh -openssl genrsa -out /tmp/aisha.key 2048 +openssl genrsa -out /tmp/aisha.key 4096 openssl req -new -subj "/CN=aisha/C=PK/L=Islamabad/O=ACME Inc./OU=Engineering" -key /tmp/aisha.key -out /tmp/aisha.csr -openssl x509 -req -sha256 -days 1 -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/aisha.csr -out /tmp/aisha.crt +openssl x509 -req -sha512 -days 1 -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/aisha.csr -out /tmp/aisha.crt -curl -k --cert /tmp/aisha.crt --key /tmp/aisha.key https://talker-api.127.0.0.1.nip.io:8000 -i +curl -k --cert /tmp/aisha.crt --key /tmp/aisha.key https://talker-api.127.0.0.1.nip.io:8443 -i # HTTP/1.1 200 OK ``` With a TLS certificate signed by the trusted CA, though missing an authorized Organization: ```sh -openssl genrsa -out /tmp/john.key 2048 +openssl genrsa -out /tmp/john.key 4096 openssl req -new -subj "/CN=john/C=UK/L=London" -key /tmp/john.key -out /tmp/john.csr -openssl x509 -req -sha256 -days 1 -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/john.csr -out /tmp/john.crt +openssl x509 -req -sha512 -days 1 -CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/john.csr -out /tmp/john.crt -curl -k --cert /tmp/john.crt --key /tmp/john.key https://talker-api.127.0.0.1.nip.io:8000 -i +curl -k --cert /tmp/john.crt --key /tmp/john.key https://talker-api.127.0.0.1.nip.io:8443 -i # HTTP/1.1 403 Forbidden # x-ext-auth-reason: Unauthorized ``` @@ -403,7 +403,7 @@ curl -k --cert /tmp/john.crt --key /tmp/john.key https://talker-api.127.0.0.1.ni Expose Authorino's raw HTTP authorization to the local host: ```sh -kubectl port-forward service/authorino-authorino-authorization 5001:5001 & +kubectl port-forward service/authorino-authorino-authorization 5001:5001 2>&1 >/dev/null & ``` With a TLS certificate signed by the trusted CA: @@ -416,18 +416,18 @@ curl -k --cert /tmp/aisha.crt --key /tmp/aisha.key -H 'Content-Type: application With a TLS certificate signed by an unknown authority: ```sh -openssl req -x509 -sha256 -nodes \ +openssl req -x509 -sha512 -nodes \ -days 365 \ - -newkey rsa:2048 \ + -newkey rsa:4096 \ -subj "/CN=untrusted" \ -addext basicConstraints=CA:TRUE \ -addext keyUsage=digitalSignature,keyCertSign \ -keyout /tmp/untrusted-ca.key \ -out /tmp/untrusted-ca.crt -openssl genrsa -out /tmp/niko.key 2048 +openssl genrsa -out /tmp/niko.key 4096 openssl req -new -subj "/CN=niko/C=JP/L=Osaka" -key /tmp/niko.key -out /tmp/niko.csr -openssl x509 -req -sha256 -days 1 -CA /tmp/untrusted-ca.crt -CAkey /tmp/untrusted-ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/niko.csr -out /tmp/niko.crt +openssl x509 -req -sha512 -days 1 -CA /tmp/untrusted-ca.crt -CAkey /tmp/untrusted-ca.key -CAcreateserial -extfile /tmp/x509v3.ext -in /tmp/niko.csr -out /tmp/niko.crt curl -k --cert /tmp/niko.crt --key /tmp/niko.key -H 'Content-Type: application/json' -d '{}' https://talker-api.127.0.0.1.nip.io:5001/check -i # HTTP/2 401 @@ -446,7 +446,7 @@ Even if the deleted root certificate is still cached and accepted at the gateway Try with a previously accepted certificate: ```sh -curl -k --cert /tmp/aisha.crt --key /tmp/aisha.key https://talker-api.127.0.0.1.nip.io:8000 -i +curl -k --cert /tmp/aisha.crt --key /tmp/aisha.key https://talker-api.127.0.0.1.nip.io:8443 -i # HTTP/1.1 401 Unauthorized # www-authenticate: Basic realm="mtls" # x-ext-auth-reason: x509: certificate signed by unknown authority diff --git a/pkg/evaluators/identity/mtls_test.go b/pkg/evaluators/identity/mtls_test.go index 62e3818c..739337a5 100644 --- a/pkg/evaluators/identity/mtls_test.go +++ b/pkg/evaluators/identity/mtls_test.go @@ -336,7 +336,7 @@ func issueCertificate(subject pkix.Name, ca map[string][]byte, days int, extKeyU KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: isCA, } - key, _ := rsa.GenerateKey(rand.Reader, 2048) + key, _ := rsa.GenerateKey(rand.Reader, 4096) privKey := key parent := cert if !isCA { From 1fdfd587f833dbaf9f14d2f7ac155eb7c439e8b1 Mon Sep 17 00:00:00 2001 From: Adam Cattermole Date: Wed, 31 Jul 2024 11:45:29 +0100 Subject: [PATCH 07/31] Update controller-gen to v0.15.0 Signed-off-by: Adam Cattermole --- Makefile | 2 +- .../authorino.kuadrant.io_authconfigs.yaml | 2780 +++++++---------- install/manifests.yaml | 2780 +++++++---------- install/rbac/role.yaml | 1 - 4 files changed, 2351 insertions(+), 3212 deletions(-) diff --git a/Makefile b/Makefile index 4f4081b9..2cf43cdf 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ help: CONTROLLER_GEN = $(PROJECT_DIR)/bin/controller-gen controller-gen: ## Installs controller-gen in $PROJECT_DIR/bin - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.9.0) + $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.15.0) KUSTOMIZE = $(PROJECT_DIR)/bin/kustomize kustomize: ## Installs kustomize in $PROJECT_DIR/bin diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 800f877a..288a9a2b 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -55,14 +54,19 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,13 +76,13 @@ spec: service hosts. properties: authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. + description: |- + Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' + description: |- + Authorization policy to be enforced. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". properties: authzed: description: Authzed authorization @@ -101,15 +105,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -130,17 +131,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -157,17 +153,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -206,17 +197,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -233,17 +219,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -252,14 +233,14 @@ spec: - endpoint type: object cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. + description: |- + Caching options for the policy evaluation results when enforcing this config. + Omit it to avoid caching policy evaluation results for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -268,15 +249,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -311,12 +289,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -328,16 +303,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -345,7 +318,8 @@ spec: - rules type: object kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` + description: |- + Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -354,10 +328,9 @@ spec: type: string type: array resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. + description: |- + Use ResourceAttributes for checking permissions on Kubernetes resources + If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -372,17 +345,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -399,17 +367,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -426,17 +389,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -453,17 +411,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -480,17 +433,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -507,25 +455,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" + description: |- + User to test for. + If without "Groups", then is it interpreted as "What if User were not a member of any groups" properties: value: description: Static value @@ -534,15 +477,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -555,30 +495,27 @@ spec: individual observability metrics type: boolean name: - description: Name of the authorization policy. It can be used - to refer to the resolved authorization object in other configs. + description: |- + Name of the authorization policy. + It can be used to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: Returns the value of all Rego rules in the - virtual document. Values can be read in subsequent evaluators/phases - of the Auth Pipeline. Otherwise, only the default `allow` - rule will be exposed. Returning all Rego rules can affect - performance of OPA policies during reconciliation (policy - precompile) and at runtime. + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -592,32 +529,24 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: |- + Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or application/json content-type. + In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: description: The key of the secret to select from. Must @@ -637,24 +566,23 @@ spec: type: integer type: object inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this authorization policy. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -672,11 +600,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -688,16 +614,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -706,8 +630,9 @@ spec: type: object type: array callbacks: - description: List of callback configs. Authorino sends callbacks to - specified endpoints at the end of the auth pipeline. + description: |- + List of callback configs. + Authorino sends callbacks to specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -716,10 +641,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -728,24 +653,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -758,16 +679,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -776,20 +693,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -803,23 +717,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -835,16 +746,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -853,10 +760,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -867,9 +773,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -912,10 +818,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -938,20 +844,21 @@ spec: observability metrics type: boolean name: - description: Name of the callback. It can be used to refer to - the resolved callback response in other configs. + description: |- + Name of the callback. + It can be used to refer to the resolved callback response in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to perform this callback. + description: |- + Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to - be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -969,11 +876,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -985,16 +890,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1021,15 +924,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1055,15 +955,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1080,15 +977,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1107,15 +1001,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1141,15 +1032,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1166,37 +1054,32 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object type: object hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. + description: |- + The list of public host names of the services protected by this authentication/authorization scheme. + Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. items: type: string type: array identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. + description: |- + List of identity sources/authentication modes. + At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' + description: |- + The identity source/authentication mode config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". properties: anonymous: type: object @@ -1204,10 +1087,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for API key secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1218,8 +1100,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1227,17 +1109,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1249,25 +1130,25 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity objects - for this config. + description: |- + Caching options for the identity resolved when applying this config. + Omit it to avoid caching identity objects for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1276,15 +1157,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1297,11 +1175,9 @@ spec: - key type: object credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). + description: |- + Defines where client credentials are required to be passed in the request for this identity source/authentication mode. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1315,23 +1191,18 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. + description: |- + Extends the resolved identity object with additional custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. items: properties: name: @@ -1349,15 +1220,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1367,11 +1235,9 @@ spec: kubernetes: properties: audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array @@ -1385,10 +1251,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1399,8 +1264,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1408,17 +1273,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1430,21 +1294,21 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It can be used - to refer to the resolved identity object in other configs. + description: |- + The name of this identity source/authentication mode. + It usually identifies a source of identities or group of users/clients of the protected service. + It can be used to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1454,15 +1318,19 @@ spec: server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. + description: |- + The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1472,14 +1340,10 @@ spec: oidc: properties: endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. + description: |- + Endpoint of the OIDC issuer. + Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1491,28 +1355,25 @@ spec: plain: properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson can be - used. The following string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this identity config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1530,11 +1391,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1546,16 +1405,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1564,22 +1421,23 @@ spec: type: object type: array metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. + description: |- + List of metadata source configs. + Authorino fetches JSON content from sources on this list on every request. items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' + description: |- + The metadata config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". properties: cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. + description: |- + Caching options for the external metadata fetched when applying this config. + Omit it to avoid caching metadata from this source. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1588,15 +1446,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1613,10 +1468,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1625,24 +1480,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -1655,16 +1506,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1673,20 +1520,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -1700,23 +1544,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1732,16 +1573,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1750,10 +1587,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -1764,9 +1600,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1809,10 +1645,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1835,14 +1671,15 @@ spec: observability metrics type: boolean name: - description: The name of the metadata source. It can be used - to refer to the resolved metadata object in other configs. + description: |- + The name of the metadata source. + It can be used to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1853,14 +1690,17 @@ spec: registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1879,10 +1719,10 @@ spec: - identitySource type: object when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be - applied; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to apply this metadata config. + If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. items: properties: all: @@ -1900,11 +1740,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1916,16 +1754,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1938,11 +1774,9 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1951,16 +1785,14 @@ spec: - matches type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1968,22 +1800,23 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. + description: |- + List of response configs. + Authorino gathers data from the auth pipeline to build custom responses for the client. items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' + description: |- + Dynamic response to return to the client. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". properties: cache: - description: Caching options for dynamic responses built when - applying this config. Omit it to avoid caching dynamic responses - for this config. + description: |- + Caching options for dynamic responses built when applying this config. + Omit it to avoid caching dynamic responses for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1992,15 +1825,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -2029,16 +1859,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2054,8 +1880,9 @@ spec: observability metrics type: boolean name: - description: Name of the custom response. It can be used to - refer to the resolved response object in other configs. + description: |- + Name of the custom response. + It can be used to refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -2069,29 +1896,26 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced for - all requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this custom response config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -2109,11 +1933,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -2125,32 +1947,30 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata + description: |- + How Authorino wraps the response. + Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. + description: |- + The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). + If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -2170,16 +1990,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2192,10 +2008,9 @@ spec: where = / = / = / = / = / = / Date: Tue, 20 Aug 2024 04:53:36 -0600 Subject: [PATCH 08/31] Add license scan report and status Signed off by: fossabot --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 95e42ddc..b75cdf31 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ Authorino is not about inventing anything new. It's about making the best things [![Unit Tests](https://github.com/Kuadrant/authorino/actions/workflows/go-test.yaml/badge.svg)](https://github.com/Kuadrant/authorino/actions/workflows/go-test.yaml) [![End-to-end Tests](https://github.com/Kuadrant/authorino/actions/workflows/e2e-test.yaml/badge.svg)](https://github.com/Kuadrant/authorino/actions/workflows/e2e-test.yaml) [![Smoke Tests](https://github.com/Kuadrant/authorino/actions/workflows/integration-test.yaml/badge.svg)](https://github.com/Kuadrant/authorino/actions/workflows/integration-test.yaml) +[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino?ref=badge_shield) ## Getting started @@ -448,3 +449,7 @@ geomean 569.0 2.000 -99.65% If you are interested in contributing to Authorino, please refer to the [Developer's guide](./docs/contributing.md) for info about the stack and requirements, workflow, policies and Code of Conduct. Join us on the [#kuadrant](https://kubernetes.slack.com/archives/C05J0D0V525) channel in the Kubernetes Slack workspace, for live discussions about the roadmap and more. + + +## License +[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2FKuadrant%2Fauthorino?ref=badge_large) \ No newline at end of file From bbcfe7341338d922b33bdb9e5d91d7acd106052b Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 09:49:26 -0400 Subject: [PATCH 09/31] Part 1: Convert to v1beta2 Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 579 +++++++++++++++++++++++++- api/v1beta2/auth_config_conversion.go | 7 + 2 files changed, 584 insertions(+), 2 deletions(-) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index 6b810a0f..d97ca602 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -1,4 +1,579 @@ package v1beta1 -// Hub marks this version as a conversion hub. -func (a *AuthConfig) Hub() {} +import ( + "encoding/json" + "github.com/kuadrant/authorino/api/v1beta2" + "github.com/kuadrant/authorino/pkg/utils" + k8sruntime "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/conversion" +) + +func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error { + dst := dstRaw.(*v1beta2.AuthConfig) + + logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src) + logger.V(1).Info("starting converting resource") + + // metadata + dst.ObjectMeta = src.ObjectMeta + + // hosts + dst.Spec.Hosts = src.Spec.Hosts + + // named patterns + if src.Spec.Patterns != nil { + dst.Spec.NamedPatterns = make(map[string]v1beta2.PatternExpressions, len(src.Spec.Patterns)) + for name, patterns := range src.Spec.Patterns { + dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionTo) + } + } + + // conditions + dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo) + + // authentication + if src.Spec.Identity != nil { + dst.Spec.Authentication = make(map[string]v1beta2.AuthenticationSpec, len(src.Spec.Identity)) + for _, identity := range src.Spec.Identity { + name, authentication := convertAuthenticationTo(identity) + dst.Spec.Authentication[name] = authentication + } + } + + // metadata + if src.Spec.Metadata != nil { + dst.Spec.Metadata = make(map[string]v1beta2.MetadataSpec, len(src.Spec.Metadata)) + for _, metadataSrc := range src.Spec.Metadata { + name, metadata := convertMetadataTo(metadataSrc) + dst.Spec.Metadata[name] = metadata + } + } + + // authorization + if src.Spec.Authorization != nil { + dst.Spec.Authorization = make(map[string]v1beta2.AuthorizationSpec, len(src.Spec.Authorization)) + for _, authorizationSrc := range src.Spec.Authorization { + name, authorization := convertAuthorizationTo(authorizationSrc) + dst.Spec.Authorization[name] = authorization + } + } + + // response + denyWith := src.Spec.DenyWith + + if denyWith != nil || len(src.Spec.Response) > 0 { + dst.Spec.Response = &v1beta2.ResponseSpec{} + } + + if denyWith != nil && denyWith.Unauthenticated != nil { + dst.Spec.Response.Unauthenticated = convertDenyWithSpecTo(denyWith.Unauthenticated) + } + + if denyWith != nil && denyWith.Unauthorized != nil { + dst.Spec.Response.Unauthorized = convertDenyWithSpecTo(denyWith.Unauthorized) + } + + for _, responseSrc := range src.Spec.Response { + if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" { + continue + } + if dst.Spec.Response.Success.Headers == nil { + dst.Spec.Response.Success.Headers = make(map[string]v1beta2.HeaderSuccessResponseSpec) + } + name, response := convertSuccessResponseTo(responseSrc) + dst.Spec.Response.Success.Headers[name] = v1beta2.HeaderSuccessResponseSpec{ + SuccessResponseSpec: response, + } + } + + for _, responseSrc := range src.Spec.Response { + if responseSrc.Wrapper != "envoyDynamicMetadata" { + continue + } + if dst.Spec.Response.Success.DynamicMetadata == nil { + dst.Spec.Response.Success.DynamicMetadata = make(map[string]v1beta2.SuccessResponseSpec) + } + name, response := convertSuccessResponseTo(responseSrc) + dst.Spec.Response.Success.DynamicMetadata[name] = response + } + + // callbacks + if src.Spec.Callbacks != nil { + dst.Spec.Callbacks = make(map[string]v1beta2.CallbackSpec, len(src.Spec.Callbacks)) + for _, callbackSrc := range src.Spec.Callbacks { + name, callback := convertCallbackTo(callbackSrc) + dst.Spec.Callbacks[name] = callback + } + } + + // status + dst.Status = convertStatusTo(src.Status) + + logger.V(1).Info("finished converting resource", "dst", dst) + + return nil +} + +func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { + src := srcRaw.(*v1beta2.AuthConfig) + + logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src) + logger.V(1).Info("starting converting resource") + + // metadata + dst.ObjectMeta = src.ObjectMeta + + // hosts + dst.Spec.Hosts = src.Spec.Hosts + + return nil +} + +func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpression { + return v1beta2.PatternExpression{ + Selector: src.Selector, + Operator: v1beta2.PatternExpressionOperator(src.Operator), + Value: src.Value, + } +} + +func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef { + pattern := v1beta2.PatternExpressionOrRef{ + PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression), + PatternRef: v1beta2.PatternRef{ + Name: src.JSONPatternRef.JSONPatternName, + }, + } + if len(src.All) > 0 { + pattern.All = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.All)) + for i, p := range src.All { + pattern.All[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)} + } + } + if len(src.Any) > 0 { + pattern.Any = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.Any)) + for i, p := range src.Any { + pattern.Any[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)} + } + } + return pattern +} + +func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) { + authentication := v1beta2.AuthenticationSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + Credentials: convertCredentialsTo(src.Credentials), + } + + var overrides []JsonProperty + for _, extendedProperty := range src.ExtendedProperties { + if !extendedProperty.Overwrite { + continue + } + overrides = append(overrides, extendedProperty.JsonProperty) + } + if len(overrides) > 0 { + authentication.Overrides = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(overrides)) + } + + var defaults []JsonProperty + for _, extendedProperty := range src.ExtendedProperties { + if extendedProperty.Overwrite { + continue + } + defaults = append(defaults, extendedProperty.JsonProperty) + } + if len(defaults) > 0 { + authentication.Defaults = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(defaults)) + } + + switch src.GetType() { + case IdentityApiKey: + selector := *src.APIKey.Selector + authentication.ApiKey = &v1beta2.ApiKeyAuthenticationSpec{ + Selector: &selector, + AllNamespaces: src.APIKey.AllNamespaces, + } + case IdentityOidc: + authentication.Jwt = &v1beta2.JwtAuthenticationSpec{ + IssuerUrl: src.Oidc.Endpoint, + TTL: src.Oidc.TTL, + } + case IdentityOAuth2: + credentials := *src.OAuth2.Credentials + authentication.OAuth2TokenIntrospection = &v1beta2.OAuth2TokenIntrospectionSpec{ + Url: src.OAuth2.TokenIntrospectionUrl, + TokenTypeHint: src.OAuth2.TokenTypeHint, + Credentials: &credentials, + } + case IdentityKubernetesAuth: + authentication.KubernetesTokenReview = &v1beta2.KubernetesTokenReviewSpec{ + Audiences: src.KubernetesAuth.Audiences, + } + case IdentityMTLS: + selector := *src.MTLS.Selector + authentication.X509ClientCertificate = &v1beta2.X509ClientCertificateAuthenticationSpec{ + Selector: &selector, + AllNamespaces: src.MTLS.AllNamespaces, + } + case IdentityPlain: + authentication.Plain = &v1beta2.PlainIdentitySpec{ + Selector: src.Plain.AuthJSON, + } + case IdentityAnonymous: + authentication.AnonymousAccess = &v1beta2.AnonymousAccessSpec{} + } + + return src.Name, authentication +} + +func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching { + if src == nil { + return nil + } + return &v1beta2.EvaluatorCaching{ + Key: convertValueOrSelectorTo(src.Key), + TTL: src.TTL, + } +} + +func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector { + value := k8sruntime.RawExtension{} + if src.ValueFrom.AuthJSON == "" { + jsonString, err := json.Marshal(src.Value) + if err == nil { + value.Raw = jsonString + } + } + return v1beta2.ValueOrSelector{ + Value: value, + Selector: src.ValueFrom.AuthJSON, + } +} + +func convertCredentialsTo(src Credentials) v1beta2.Credentials { + credentials := v1beta2.Credentials{} + switch src.In { + case "authorization_header": + credentials.AuthorizationHeader = &v1beta2.Prefixed{ + Prefix: src.KeySelector, + } + case "custom_header": + credentials.CustomHeader = &v1beta2.CustomHeader{ + Named: v1beta2.Named{Name: src.KeySelector}, + } + case "query": + credentials.QueryString = &v1beta2.Named{ + Name: src.KeySelector, + } + case "cookie": + credentials.Cookie = &v1beta2.Named{ + Name: src.KeySelector, + } + } + return credentials +} + +func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors { + if src == nil { + return nil + } + namedValuesOrSelectors := v1beta2.NamedValuesOrSelectors{} + for _, jsonProperty := range src { + value := k8sruntime.RawExtension{} + if jsonProperty.ValueFrom.AuthJSON == "" { + value.Raw = jsonProperty.Value.Raw + } + namedValuesOrSelectors[jsonProperty.Name] = v1beta2.ValueOrSelector{ + Value: value, + Selector: jsonProperty.ValueFrom.AuthJSON, + } + } + return namedValuesOrSelectors +} + +func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { + metadata := v1beta2.MetadataSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + } + + switch src.GetType() { + case MetadataGenericHTTP: + metadata.Http = convertHttpEndpointSpecTo(src.GenericHTTP) + case MetadataUserinfo: + metadata.UserInfo = &v1beta2.UserInfoMetadataSpec{ + IdentitySource: src.UserInfo.IdentitySource, + } + case MetadataUma: + credentials := *src.UMA.Credentials + metadata.Uma = &v1beta2.UmaMetadataSpec{ + Endpoint: src.UMA.Endpoint, + Credentials: &credentials, + } + } + + return src.Name, metadata +} + +func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec { + if src == nil { + return nil + } + return &v1beta2.HttpEndpointSpec{ + Url: src.Endpoint, + Method: convertMethodTo(src.Method), + Body: convertPtrValueOrSelectorTo(src.Body), + Parameters: convertNamedValuesOrSelectorsTo(src.Parameters), + ContentType: convertContentTypeTo(src.ContentType), + Headers: convertNamedValuesOrSelectorsTo(src.Headers), + SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), + OAuth2: convertOAuth2ClientAuthenticationTo(src.OAuth2), + Credentials: convertCredentialsTo(src.Credentials), + } +} + +func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { + if src == nil { + return nil + } + method := v1beta2.HttpMethod(*src) + return &method +} + +func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector { + if src == nil { + return nil + } + v := convertValueOrSelectorTo(*src) + return &v +} + +func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType { + return v1beta2.HttpContentType(src) +} + +func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference { + if src == nil { + return nil + } + return &v1beta2.SecretKeyReference{ + Name: src.Name, + Key: src.Key, + } +} + +func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication { + if src == nil { + return nil + } + o := &v1beta2.OAuth2ClientAuthentication{ + TokenUrl: src.TokenUrl, + ClientId: src.ClientId, + ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret), + Scopes: src.Scopes, + ExtraParams: src.ExtraParams, + } + if src.Cache != nil { + cache := *src.Cache + o.Cache = &cache + } + return o +} + +func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) { + authorization := v1beta2.AuthorizationSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + } + + switch src.GetType() { + case AuthorizationJSONPatternMatching: + authorization.PatternMatching = &v1beta2.PatternMatchingAuthorizationSpec{ + Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefTo), + } + case AuthorizationOPA: + authorization.Opa = &v1beta2.OpaAuthorizationSpec{ + Rego: src.OPA.InlineRego, + External: convertOpaExternalRegistryTo(src.OPA.ExternalRegistry), + AllValues: src.OPA.AllValues, + } + case AuthorizationKubernetesAuthz: + authorization.KubernetesSubjectAccessReview = &v1beta2.KubernetesSubjectAccessReviewAuthorizationSpec{ + User: convertPtrValueOrSelectorTo(&src.KubernetesAuthz.User), + Groups: src.KubernetesAuthz.Groups, + ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesAuthz.ResourceAttributes), + } + case AuthorizationAuthzed: + authorization.SpiceDB = &v1beta2.SpiceDBAuthorizationSpec{ + Endpoint: src.Authzed.Endpoint, + Insecure: src.Authzed.Insecure, + SharedSecret: convertSecretKeyReferenceTo(src.Authzed.SharedSecret), + Subject: spiceDBObjectTo(src.Authzed.Subject), + Resource: spiceDBObjectTo(src.Authzed.Resource), + Permission: convertValueOrSelectorTo(src.Authzed.Permission), + } + } + + return src.Name, authorization +} + +func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy { + if src.Endpoint == "" { + return nil + } + return &v1beta2.ExternalOpaPolicy{ + HttpEndpointSpec: &v1beta2.HttpEndpointSpec{ + Url: src.Endpoint, + SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), + Credentials: convertCredentialsTo(src.Credentials), + }, + TTL: src.TTL, + } +} + +func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec { + if src == nil { + return nil + } + return &v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec{ + Namespace: convertValueOrSelectorTo(src.Namespace), + Group: convertValueOrSelectorTo(src.Group), + Resource: convertValueOrSelectorTo(src.Resource), + Name: convertValueOrSelectorTo(src.Name), + SubResource: convertValueOrSelectorTo(src.SubResource), + Verb: convertValueOrSelectorTo(src.Verb), + } +} + +func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { + if src == nil { + return nil + } + return &v1beta2.SpiceDBObject{ + Kind: convertValueOrSelectorTo(src.Kind), + Name: convertValueOrSelectorTo(src.Name), + } +} + +func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { + if src == nil { + return nil + } + return &v1beta2.DenyWithSpec{ + Code: v1beta2.DenyWithCode(src.Code), + Headers: convertNamedValuesOrSelectorsTo(src.Headers), + Message: convertPtrValueOrSelectorTo(src.Message), + Body: convertPtrValueOrSelectorTo(src.Body), + } +} + +func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) { + response := v1beta2.SuccessResponseSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + Cache: convertEvaluatorCachingTo(src.Cache), + }, + Key: src.WrapperKey, + } + + switch src.GetType() { + case ResponsePlain: + selector := v1beta2.PlainAuthResponseSpec(convertValueOrSelectorTo(StaticOrDynamicValue(*src.Plain))) + response.Plain = &selector + case ResponseDynamicJSON: + response.Json = &v1beta2.JsonAuthResponseSpec{ + Properties: convertNamedValuesOrSelectorsTo(src.JSON.Properties), + } + case ResponseWristband: + response.Wristband = &v1beta2.WristbandAuthResponseSpec{ + Issuer: src.Wristband.Issuer, + CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims), + } + if src.Wristband.TokenDuration != nil { + duration := *src.Wristband.TokenDuration + response.Wristband.TokenDuration = &duration + } + for _, keySrc := range src.Wristband.SigningKeyRefs { + if keySrc == nil { + continue + } + key := &v1beta2.WristbandSigningKeyRef{ + Name: keySrc.Name, + Algorithm: v1beta2.WristbandSigningKeyAlgorithm(keySrc.Algorithm), + } + response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key) + } + } + + return src.Name, response +} + +func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { + callback := v1beta2.CallbackSpec{ + CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), + }, + } + + switch src.GetType() { + case CallbackHTTP: + callback.Http = convertHttpEndpointSpecTo(src.HTTP) + } + + return src.Name, callback +} + +func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { + return v1beta2.AuthConfigStatus{ + Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition { + condition := v1beta2.AuthConfigStatusCondition{ + Type: v1beta2.StatusConditionType(conditionSrc.Type), + Status: conditionSrc.Status, + LastTransitionTime: conditionSrc.LastTransitionTime, + Reason: conditionSrc.Reason, + Message: conditionSrc.Message, + } + if conditionSrc.LastUpdatedTime != nil { + time := *conditionSrc.LastUpdatedTime + condition.LastUpdatedTime = &time + } + return condition + }), + Summary: convertStatusSummaryTo(src.Summary), + } +} + +func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { + hostsReady := make([]string, len(src.HostsReady)) + copy(hostsReady, src.HostsReady) + + return v1beta2.AuthConfigStatusSummary{ + Ready: src.Ready, + HostsReady: hostsReady, + NumHostsReady: src.NumHostsReady, + NumIdentitySources: src.NumIdentitySources, + NumMetadataSources: src.NumMetadataSources, + NumAuthorizationPolicies: src.NumAuthorizationPolicies, + NumResponseItems: src.NumResponseItems, + FestivalWristbandEnabled: src.FestivalWristbandEnabled, + } +} diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go index b46b1bad..f07163e8 100644 --- a/api/v1beta2/auth_config_conversion.go +++ b/api/v1beta2/auth_config_conversion.go @@ -1,5 +1,10 @@ package v1beta2 +// Hub marks this version as a conversion hub. +func (a *AuthConfig) Hub() {} + +/** + import ( "encoding/json" @@ -1078,3 +1083,5 @@ func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary { FestivalWristbandEnabled: src.FestivalWristbandEnabled, } } + +*/ From 3852e37d5da01fd358259ba23d86574c46109ffa Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 10:24:52 -0400 Subject: [PATCH 10/31] Part 2: Convert from v1beta2 Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 499 ++++++++++++ api/v1beta2/auth_config_conversion.go | 1083 ------------------------- 2 files changed, 499 insertions(+), 1083 deletions(-) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index d97ca602..78a2e5dd 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -4,6 +4,7 @@ import ( "encoding/json" "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/utils" + "github.com/tidwall/gjson" k8sruntime "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/conversion" @@ -127,6 +128,72 @@ func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { // hosts dst.Spec.Hosts = src.Spec.Hosts + // named patterns + if src.Spec.NamedPatterns != nil { + dst.Spec.Patterns = make(map[string]JSONPatternExpressions, len(src.Spec.NamedPatterns)) + for name, patterns := range src.Spec.NamedPatterns { + dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionFrom) + } + } + + // conditions + dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom) + + // identity + for name, authentication := range src.Spec.Authentication { + identity := convertAuthenticationFrom(name, authentication) + dst.Spec.Identity = append(dst.Spec.Identity, identity) + } + + // metadata + for name, metadataSrc := range src.Spec.Metadata { + metadata := convertMetadataFrom(name, metadataSrc) + dst.Spec.Metadata = append(dst.Spec.Metadata, metadata) + } + + // authorization + for name, authorizationSrc := range src.Spec.Authorization { + authorization := convertAuthorizationFrom(name, authorizationSrc) + dst.Spec.Authorization = append(dst.Spec.Authorization, authorization) + } + + // response + if src.Spec.Response != nil { + for name, responseSrc := range src.Spec.Response.Success.Headers { + response := convertSuccessResponseFrom(name, responseSrc.SuccessResponseSpec, "httpHeader") + dst.Spec.Response = append(dst.Spec.Response, response) + } + + for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata { + response := convertSuccessResponseFrom(name, responseSrc, "envoyDynamicMetadata") + dst.Spec.Response = append(dst.Spec.Response, response) + } + + // denyWith + if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil { + dst.Spec.DenyWith = &DenyWith{} + } + + if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil { + dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecFrom(denyWithSrc) + } + + if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil { + dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecFrom(denyWithSrc) + } + } + + // callbacks + for name, callbackSrc := range src.Spec.Callbacks { + callback := convertCallbackFrom(name, callbackSrc) + dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback) + } + + // status + dst.Status = convertStatusFrom(src.Status) + + logger.V(1).Info("finished converting resource", "dst", dst) + return nil } @@ -138,6 +205,14 @@ func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpres } } +func convertPatternExpressionFrom(src v1beta2.PatternExpression) JSONPatternExpression { + return JSONPatternExpression{ + Selector: src.Selector, + Operator: JSONPatternOperator(src.Operator), + Value: src.Value, + } +} + func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef { pattern := v1beta2.PatternExpressionOrRef{ PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression), @@ -160,6 +235,28 @@ func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionO return pattern } +func convertPatternExpressionOrRefFrom(src v1beta2.PatternExpressionOrRef) JSONPattern { + pattern := JSONPattern{ + JSONPatternExpression: convertPatternExpressionFrom(src.PatternExpression), + JSONPatternRef: JSONPatternRef{ + JSONPatternName: src.PatternRef.Name, + }, + } + if len(src.All) > 0 { + pattern.All = make([]UnstructuredJSONPattern, len(src.All)) + for i, p := range src.All { + pattern.All[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)} + } + } + if len(src.Any) > 0 { + pattern.Any = make([]UnstructuredJSONPattern, len(src.Any)) + for i, p := range src.Any { + pattern.Any[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)} + } + } + return pattern +} + func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) { authentication := v1beta2.AuthenticationSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -233,6 +330,71 @@ func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) return src.Name, authentication } +func convertAuthenticationFrom(name string, src v1beta2.AuthenticationSpec) *Identity { + extendedProperties := utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Overrides)), func(jsonProperty JsonProperty) ExtendedProperty { + return ExtendedProperty{ + JsonProperty: jsonProperty, + Overwrite: true, + } + }) + extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Defaults)), func(jsonProperty JsonProperty) ExtendedProperty { + return ExtendedProperty{ + JsonProperty: jsonProperty, + Overwrite: false, + } + })...) + + identity := &Identity{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + Credentials: convertCredentialsFrom(src.Credentials), + ExtendedProperties: extendedProperties, + } + + switch src.GetMethod() { + case v1beta2.ApiKeyAuthentication: + selector := *src.ApiKey.Selector + identity.APIKey = &Identity_APIKey{ + Selector: &selector, + AllNamespaces: src.ApiKey.AllNamespaces, + } + case v1beta2.JwtAuthentication: + identity.Oidc = &Identity_OidcConfig{ + Endpoint: src.Jwt.IssuerUrl, + TTL: src.Jwt.TTL, + } + case v1beta2.OAuth2TokenIntrospectionAuthentication: + credentials := *src.OAuth2TokenIntrospection.Credentials + identity.OAuth2 = &Identity_OAuth2Config{ + TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url, + TokenTypeHint: src.OAuth2TokenIntrospection.TokenTypeHint, + Credentials: &credentials, + } + case v1beta2.KubernetesTokenReviewAuthentication: + identity.KubernetesAuth = &Identity_KubernetesAuth{ + Audiences: src.KubernetesTokenReview.Audiences, + } + case v1beta2.X509ClientCertificateAuthentication: + selector := *src.X509ClientCertificate.Selector + identity.MTLS = &Identity_MTLS{ + Selector: &selector, + AllNamespaces: src.X509ClientCertificate.AllNamespaces, + } + case v1beta2.PlainIdentityAuthentication: + selector := Identity_Plain(ValueFrom{ + AuthJSON: src.Plain.Selector, + }) + identity.Plain = &selector + case v1beta2.AnonymousAccessAuthentication: + identity.Anonymous = &Identity_Anonymous{} + } + + return identity +} + func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching { if src == nil { return nil @@ -243,6 +405,16 @@ func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching } } +func convertEvaluatorCachingFrom(src *v1beta2.EvaluatorCaching) *EvaluatorCaching { + if src == nil { + return nil + } + return &EvaluatorCaching{ + Key: convertValueOrSelectorFrom(src.Key), + TTL: src.TTL, + } +} + func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector { value := k8sruntime.RawExtension{} if src.ValueFrom.AuthJSON == "" { @@ -257,6 +429,13 @@ func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector } } +func convertValueOrSelectorFrom(src v1beta2.ValueOrSelector) StaticOrDynamicValue { + return StaticOrDynamicValue{ + Value: gjson.ParseBytes(src.Value.Raw).String(), + ValueFrom: convertSelectorFrom(src), + } +} + func convertCredentialsTo(src Credentials) v1beta2.Credentials { credentials := v1beta2.Credentials{} switch src.In { @@ -280,6 +459,28 @@ func convertCredentialsTo(src Credentials) v1beta2.Credentials { return credentials } +func convertCredentialsFrom(src v1beta2.Credentials) Credentials { + var in, key string + switch src.GetType() { + case v1beta2.AuthorizationHeaderCredentials: + in = "authorization_header" + key = src.AuthorizationHeader.Prefix + case v1beta2.CustomHeaderCredentials: + in = "custom_header" + key = src.CustomHeader.Name + case v1beta2.QueryStringCredentials: + in = "query" + key = src.QueryString.Name + case v1beta2.CookieCredentials: + in = "cookie" + key = src.Cookie.Name + } + return Credentials{ + In: Credentials_In(in), + KeySelector: key, + } +} + func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors { if src == nil { return nil @@ -298,6 +499,27 @@ func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSe return namedValuesOrSelectors } +func convertNamedValuesOrSelectorsFrom(src v1beta2.NamedValuesOrSelectors) []JsonProperty { + if src == nil { + return nil + } + jsonProperties := make([]JsonProperty, 0, len(src)) + for name, valueOrSelector := range src { + jsonProperties = append(jsonProperties, JsonProperty{ + Name: name, + Value: valueOrSelector.Value, + ValueFrom: convertSelectorFrom(valueOrSelector), + }) + } + return jsonProperties +} + +func convertSelectorFrom(src v1beta2.ValueOrSelector) ValueFrom { + return ValueFrom{ + AuthJSON: src.Selector, + } +} + func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { metadata := v1beta2.MetadataSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -326,6 +548,33 @@ func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) { return src.Name, metadata } +func convertMetadataFrom(name string, src v1beta2.MetadataSpec) *Metadata { + metadata := &Metadata{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + } + + switch src.GetMethod() { + case v1beta2.HttpMetadata: + metadata.GenericHTTP = convertHttpEndpointSpecFrom(src.Http) + case v1beta2.UserInfoMetadata: + metadata.UserInfo = &Metadata_UserInfo{ + IdentitySource: src.UserInfo.IdentitySource, + } + case v1beta2.UmaResourceMetadata: + credentials := *src.Uma.Credentials + metadata.UMA = &Metadata_UMA{ + Endpoint: src.Uma.Endpoint, + Credentials: &credentials, + } + } + + return metadata +} + func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec { if src == nil { return nil @@ -343,6 +592,23 @@ func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointS } } +func convertHttpEndpointSpecFrom(src *v1beta2.HttpEndpointSpec) *Metadata_GenericHTTP { + if src == nil { + return nil + } + return &Metadata_GenericHTTP{ + Endpoint: src.Url, + Method: convertMethodFrom(src.Method), + Body: convertPtrValueOrSelectorFrom(src.Body), + Parameters: convertNamedValuesOrSelectorsFrom(src.Parameters), + ContentType: convertContentTypeFrom(src.ContentType), + Headers: convertNamedValuesOrSelectorsFrom(src.Headers), + SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), + OAuth2: convertOAuth2ClientAuthenticationFrom(src.OAuth2), + Credentials: convertCredentialsFrom(src.Credentials), + } +} + func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { if src == nil { return nil @@ -351,6 +617,14 @@ func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod { return &method } +func convertMethodFrom(src *v1beta2.HttpMethod) *GenericHTTP_Method { + if src == nil { + return nil + } + method := GenericHTTP_Method(*src) + return &method +} + func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector { if src == nil { return nil @@ -359,10 +633,22 @@ func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSele return &v } +func convertPtrValueOrSelectorFrom(src *v1beta2.ValueOrSelector) *StaticOrDynamicValue { + if src == nil { + return nil + } + v := convertValueOrSelectorFrom(*src) + return &v +} + func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType { return v1beta2.HttpContentType(src) } +func convertContentTypeFrom(src v1beta2.HttpContentType) Metadata_GenericHTTP_ContentType { + return Metadata_GenericHTTP_ContentType(src) +} + func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference { if src == nil { return nil @@ -373,6 +659,16 @@ func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyRefe } } +func convertSecretKeyReferenceFrom(src *v1beta2.SecretKeyReference) *SecretKeyReference { + if src == nil { + return nil + } + return &SecretKeyReference{ + Name: src.Name, + Key: src.Key, + } +} + func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication { if src == nil { return nil @@ -391,6 +687,24 @@ func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1bet return o } +func convertOAuth2ClientAuthenticationFrom(src *v1beta2.OAuth2ClientAuthentication) *OAuth2ClientAuthentication { + if src == nil { + return nil + } + o := &OAuth2ClientAuthentication{ + TokenUrl: src.TokenUrl, + ClientId: src.ClientId, + ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret), + Scopes: src.Scopes, + ExtraParams: src.ExtraParams, + } + if src.Cache != nil { + cache := *src.Cache + o.Cache = &cache + } + return o +} + func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) { authorization := v1beta2.AuthorizationSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -432,6 +746,48 @@ func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSp return src.Name, authorization } +func convertAuthorizationFrom(name string, src v1beta2.AuthorizationSpec) *Authorization { + authorization := &Authorization{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + } + + switch src.GetMethod() { + case v1beta2.PatternMatchingAuthorization: + authorization.JSON = &Authorization_JSONPatternMatching{ + Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefFrom), + } + case v1beta2.OpaAuthorization: + authorization.OPA = &Authorization_OPA{ + InlineRego: src.Opa.Rego, + ExternalRegistry: convertOpaExternalRegistryFrom(src.Opa.External), + AllValues: src.Opa.AllValues, + } + case v1beta2.KubernetesSubjectAccessReviewAuthorization: + authorization.KubernetesAuthz = &Authorization_KubernetesAuthz{ + Groups: src.KubernetesSubjectAccessReview.Groups, + ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesSubjectAccessReview.ResourceAttributes), + } + if src.KubernetesSubjectAccessReview.User != nil { + authorization.KubernetesAuthz.User = convertValueOrSelectorFrom(*src.KubernetesSubjectAccessReview.User) + } + case v1beta2.SpiceDBAuthorization: + authorization.Authzed = &Authorization_Authzed{ + Endpoint: src.SpiceDB.Endpoint, + Insecure: src.SpiceDB.Insecure, + SharedSecret: convertSecretKeyReferenceFrom(src.SpiceDB.SharedSecret), + Subject: spiceDBObjectFrom(src.SpiceDB.Subject), + Resource: spiceDBObjectFrom(src.SpiceDB.Resource), + Permission: convertValueOrSelectorFrom(src.SpiceDB.Permission), + } + } + + return authorization +} + func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy { if src.Endpoint == "" { return nil @@ -446,6 +802,18 @@ func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPoli } } +func convertOpaExternalRegistryFrom(src *v1beta2.ExternalOpaPolicy) ExternalRegistry { + if src == nil { + return ExternalRegistry{} + } + return ExternalRegistry{ + Endpoint: src.Url, + SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), + Credentials: convertCredentialsFrom(src.Credentials), + TTL: src.TTL, + } +} + func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec { if src == nil { return nil @@ -460,6 +828,20 @@ func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization } } +func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec) *Authorization_KubernetesAuthz_ResourceAttributes { + if src == nil { + return nil + } + return &Authorization_KubernetesAuthz_ResourceAttributes{ + Namespace: convertValueOrSelectorFrom(src.Namespace), + Group: convertValueOrSelectorFrom(src.Group), + Resource: convertValueOrSelectorFrom(src.Resource), + Name: convertValueOrSelectorFrom(src.Name), + SubResource: convertValueOrSelectorFrom(src.SubResource), + Verb: convertValueOrSelectorFrom(src.Verb), + } +} + func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { if src == nil { return nil @@ -470,6 +852,16 @@ func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject { } } +func spiceDBObjectFrom(src *v1beta2.SpiceDBObject) *AuthzedObject { + if src == nil { + return nil + } + return &AuthzedObject{ + Kind: convertValueOrSelectorFrom(src.Kind), + Name: convertValueOrSelectorFrom(src.Name), + } +} + func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { if src == nil { return nil @@ -482,6 +874,18 @@ func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec { } } +func convertDenyWithSpecFrom(src *v1beta2.DenyWithSpec) *DenyWithSpec { + if src == nil { + return nil + } + return &DenyWithSpec{ + Code: DenyWith_Code(src.Code), + Headers: convertNamedValuesOrSelectorsFrom(src.Headers), + Message: convertPtrValueOrSelectorFrom(src.Message), + Body: convertPtrValueOrSelectorFrom(src.Body), + } +} + func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) { response := v1beta2.SuccessResponseSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -525,6 +929,49 @@ func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpe return src.Name, response } +func convertSuccessResponseFrom(name string, src v1beta2.SuccessResponseSpec, wrapper string) *Response { + response := &Response{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + Cache: convertEvaluatorCachingFrom(src.Cache), + Wrapper: Response_Wrapper(wrapper), + WrapperKey: src.Key, + } + + switch src.GetMethod() { + case v1beta2.PlainAuthResponse: + selector := Response_Plain(convertValueOrSelectorFrom(v1beta2.ValueOrSelector(*src.Plain))) + response.Plain = &selector + case v1beta2.JsonAuthResponse: + response.JSON = &Response_DynamicJSON{ + Properties: convertNamedValuesOrSelectorsFrom(src.Json.Properties), + } + case v1beta2.WristbandAuthResponse: + response.Wristband = &Response_Wristband{ + Issuer: src.Wristband.Issuer, + CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims), + } + if src.Wristband.TokenDuration != nil { + duration := *src.Wristband.TokenDuration + response.Wristband.TokenDuration = &duration + } + for _, keySrc := range src.Wristband.SigningKeyRefs { + if keySrc == nil { + continue + } + key := SigningKeyRef{ + Name: keySrc.Name, + Algorithm: SigningKeyAlgorithm(keySrc.Algorithm), + } + response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key) + } + } + + return response +} + func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { callback := v1beta2.CallbackSpec{ CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{ @@ -542,6 +989,22 @@ func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) { return src.Name, callback } +func convertCallbackFrom(name string, src v1beta2.CallbackSpec) *Callback { + callback := &Callback{ + Name: name, + Priority: src.Priority, + Metrics: src.Metrics, + Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), + } + + switch src.GetMethod() { + case v1beta2.HttpCallback: + callback.HTTP = convertHttpEndpointSpecFrom(src.Http) + } + + return callback +} + func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { return v1beta2.AuthConfigStatus{ Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition { @@ -562,6 +1025,26 @@ func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus { } } +func convertStatusFrom(src v1beta2.AuthConfigStatus) AuthConfigStatus { + return AuthConfigStatus{ + Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta2.AuthConfigStatusCondition) Condition { + condition := Condition{ + Type: ConditionType(conditionSrc.Type), + Status: conditionSrc.Status, + LastTransitionTime: conditionSrc.LastTransitionTime, + Reason: conditionSrc.Reason, + Message: conditionSrc.Message, + } + if conditionSrc.LastUpdatedTime != nil { + time := *conditionSrc.LastUpdatedTime + condition.LastUpdatedTime = &time + } + return condition + }), + Summary: convertStatusSummaryFrom(src.Summary), + } +} + func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { hostsReady := make([]string, len(src.HostsReady)) copy(hostsReady, src.HostsReady) @@ -577,3 +1060,19 @@ func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary { FestivalWristbandEnabled: src.FestivalWristbandEnabled, } } + +func convertStatusSummaryFrom(src v1beta2.AuthConfigStatusSummary) Summary { + hostsReady := make([]string, len(src.HostsReady)) + copy(hostsReady, src.HostsReady) + + return Summary{ + Ready: src.Ready, + HostsReady: hostsReady, + NumHostsReady: src.NumHostsReady, + NumIdentitySources: src.NumIdentitySources, + NumMetadataSources: src.NumMetadataSources, + NumAuthorizationPolicies: src.NumAuthorizationPolicies, + NumResponseItems: src.NumResponseItems, + FestivalWristbandEnabled: src.FestivalWristbandEnabled, + } +} diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go index f07163e8..a66d1434 100644 --- a/api/v1beta2/auth_config_conversion.go +++ b/api/v1beta2/auth_config_conversion.go @@ -2,1086 +2,3 @@ package v1beta2 // Hub marks this version as a conversion hub. func (a *AuthConfig) Hub() {} - -/** - -import ( - "encoding/json" - - "github.com/kuadrant/authorino/api/v1beta1" - "github.com/kuadrant/authorino/pkg/utils" - - "github.com/tidwall/gjson" - k8sruntime "k8s.io/apimachinery/pkg/runtime" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/conversion" -) - -func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error { - dst := dstRaw.(*v1beta1.AuthConfig) - - logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src) - logger.V(1).Info("starting converting resource") - - // metadata - dst.ObjectMeta = src.ObjectMeta - - // hosts - dst.Spec.Hosts = src.Spec.Hosts - - // named patterns - if src.Spec.NamedPatterns != nil { - dst.Spec.Patterns = make(map[string]v1beta1.JSONPatternExpressions, len(src.Spec.NamedPatterns)) - for name, patterns := range src.Spec.NamedPatterns { - dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionTo) - } - } - - // conditions - dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo) - - // identity - for name, authentication := range src.Spec.Authentication { - identity := convertAuthenticationTo(name, authentication) - dst.Spec.Identity = append(dst.Spec.Identity, identity) - } - - // metadata - for name, metadataSrc := range src.Spec.Metadata { - metadata := convertMetadataTo(name, metadataSrc) - dst.Spec.Metadata = append(dst.Spec.Metadata, metadata) - } - - // authorization - for name, authorizationSrc := range src.Spec.Authorization { - authorization := convertAuthorizationTo(name, authorizationSrc) - dst.Spec.Authorization = append(dst.Spec.Authorization, authorization) - } - - // response - if src.Spec.Response != nil { - for name, responseSrc := range src.Spec.Response.Success.Headers { - response := convertSuccessResponseTo(name, responseSrc.SuccessResponseSpec, "httpHeader") - dst.Spec.Response = append(dst.Spec.Response, response) - } - - for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata { - response := convertSuccessResponseTo(name, responseSrc, "envoyDynamicMetadata") - dst.Spec.Response = append(dst.Spec.Response, response) - } - - // denyWith - if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil { - dst.Spec.DenyWith = &v1beta1.DenyWith{} - } - - if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil { - dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecTo(denyWithSrc) - } - - if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil { - dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecTo(denyWithSrc) - } - } - - // callbacks - for name, callbackSrc := range src.Spec.Callbacks { - callback := convertCallbackTo(name, callbackSrc) - dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback) - } - - // status - dst.Status = convertStatusTo(src.Status) - - logger.V(1).Info("finished converting resource", "dst", dst) - - return nil -} - -func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error { - src := srcRaw.(*v1beta1.AuthConfig) - - logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src) - logger.V(1).Info("starting converting resource") - - // metadata - dst.ObjectMeta = src.ObjectMeta - - // hosts - dst.Spec.Hosts = src.Spec.Hosts - - // named patterns - if src.Spec.Patterns != nil { - dst.Spec.NamedPatterns = make(map[string]PatternExpressions, len(src.Spec.Patterns)) - for name, patterns := range src.Spec.Patterns { - dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionFrom) - } - } - - // conditions - dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom) - - // authentication - if src.Spec.Identity != nil { - dst.Spec.Authentication = make(map[string]AuthenticationSpec, len(src.Spec.Identity)) - for _, identity := range src.Spec.Identity { - name, authentication := convertAuthenticationFrom(identity) - dst.Spec.Authentication[name] = authentication - } - } - - // metadata - if src.Spec.Metadata != nil { - dst.Spec.Metadata = make(map[string]MetadataSpec, len(src.Spec.Metadata)) - for _, metadataSrc := range src.Spec.Metadata { - name, metadata := convertMetadataFrom(metadataSrc) - dst.Spec.Metadata[name] = metadata - } - } - - // authorization - if src.Spec.Authorization != nil { - dst.Spec.Authorization = make(map[string]AuthorizationSpec, len(src.Spec.Authorization)) - for _, authorizationSrc := range src.Spec.Authorization { - name, authorization := convertAuthorizationFrom(authorizationSrc) - dst.Spec.Authorization[name] = authorization - } - } - - // response - denyWith := src.Spec.DenyWith - - if denyWith != nil || len(src.Spec.Response) > 0 { - dst.Spec.Response = &ResponseSpec{} - } - - if denyWith != nil && denyWith.Unauthenticated != nil { - dst.Spec.Response.Unauthenticated = convertDenyWithSpecFrom(denyWith.Unauthenticated) - } - - if denyWith != nil && denyWith.Unauthorized != nil { - dst.Spec.Response.Unauthorized = convertDenyWithSpecFrom(denyWith.Unauthorized) - } - - for _, responseSrc := range src.Spec.Response { - if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" { - continue - } - if dst.Spec.Response.Success.Headers == nil { - dst.Spec.Response.Success.Headers = make(map[string]HeaderSuccessResponseSpec) - } - name, response := convertSuccessResponseFrom(responseSrc) - dst.Spec.Response.Success.Headers[name] = HeaderSuccessResponseSpec{ - SuccessResponseSpec: response, - } - } - - for _, responseSrc := range src.Spec.Response { - if responseSrc.Wrapper != "envoyDynamicMetadata" { - continue - } - if dst.Spec.Response.Success.DynamicMetadata == nil { - dst.Spec.Response.Success.DynamicMetadata = make(map[string]SuccessResponseSpec) - } - name, response := convertSuccessResponseFrom(responseSrc) - dst.Spec.Response.Success.DynamicMetadata[name] = response - } - - // callbacks - if src.Spec.Callbacks != nil { - dst.Spec.Callbacks = make(map[string]CallbackSpec, len(src.Spec.Callbacks)) - for _, callbackSrc := range src.Spec.Callbacks { - name, callback := convertCallbackFrom(callbackSrc) - dst.Spec.Callbacks[name] = callback - } - } - - // status - dst.Status = convertStatusFrom(src.Status) - - logger.V(1).Info("finished converting resource", "dst", dst) - - return nil -} - -func convertPatternExpressionTo(src PatternExpression) v1beta1.JSONPatternExpression { - return v1beta1.JSONPatternExpression{ - Selector: src.Selector, - Operator: v1beta1.JSONPatternOperator(src.Operator), - Value: src.Value, - } -} - -func convertPatternExpressionFrom(src v1beta1.JSONPatternExpression) PatternExpression { - return PatternExpression{ - Selector: src.Selector, - Operator: PatternExpressionOperator(src.Operator), - Value: src.Value, - } -} - -func convertPatternExpressionOrRefTo(src PatternExpressionOrRef) v1beta1.JSONPattern { - pattern := v1beta1.JSONPattern{ - JSONPatternExpression: convertPatternExpressionTo(src.PatternExpression), - JSONPatternRef: v1beta1.JSONPatternRef{ - JSONPatternName: src.PatternRef.Name, - }, - } - if len(src.All) > 0 { - pattern.All = make([]v1beta1.UnstructuredJSONPattern, len(src.All)) - for i, p := range src.All { - pattern.All[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)} - } - } - if len(src.Any) > 0 { - pattern.Any = make([]v1beta1.UnstructuredJSONPattern, len(src.Any)) - for i, p := range src.Any { - pattern.Any[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)} - } - } - return pattern -} - -func convertPatternExpressionOrRefFrom(src v1beta1.JSONPattern) PatternExpressionOrRef { - pattern := PatternExpressionOrRef{ - PatternExpression: convertPatternExpressionFrom(src.JSONPatternExpression), - PatternRef: PatternRef{ - Name: src.JSONPatternRef.JSONPatternName, - }, - } - if len(src.All) > 0 { - pattern.All = make([]UnstructuredPatternExpressionOrRef, len(src.All)) - for i, p := range src.All { - pattern.All[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)} - } - } - if len(src.Any) > 0 { - pattern.Any = make([]UnstructuredPatternExpressionOrRef, len(src.Any)) - for i, p := range src.Any { - pattern.Any[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)} - } - } - return pattern -} - -func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta1.EvaluatorCaching { - if src == nil { - return nil - } - return &v1beta1.EvaluatorCaching{ - Key: convertValueOrSelectorTo(src.Key), - TTL: src.TTL, - } -} - -func convertEvaluatorCachingFrom(src *v1beta1.EvaluatorCaching) *EvaluatorCaching { - if src == nil { - return nil - } - return &EvaluatorCaching{ - Key: convertValueOrSelectorFrom(src.Key), - TTL: src.TTL, - } -} - -func convertValueOrSelectorTo(src ValueOrSelector) v1beta1.StaticOrDynamicValue { - return v1beta1.StaticOrDynamicValue{ - Value: gjson.ParseBytes(src.Value.Raw).String(), - ValueFrom: convertSelectorTo(src), - } -} - -func convertValueOrSelectorFrom(src v1beta1.StaticOrDynamicValue) ValueOrSelector { - value := k8sruntime.RawExtension{} - if src.ValueFrom.AuthJSON == "" { - jsonString, err := json.Marshal(src.Value) - if err == nil { - value.Raw = jsonString - } - } - return ValueOrSelector{ - Value: value, - Selector: src.ValueFrom.AuthJSON, - } -} - -func convertPtrValueOrSelectorTo(src *ValueOrSelector) *v1beta1.StaticOrDynamicValue { - if src == nil { - return nil - } - v := convertValueOrSelectorTo(*src) - return &v -} - -func convertPtrValueOrSelectorFrom(src *v1beta1.StaticOrDynamicValue) *ValueOrSelector { - if src == nil { - return nil - } - v := convertValueOrSelectorFrom(*src) - return &v -} - -func convertNamedValuesOrSelectorsTo(src NamedValuesOrSelectors) []v1beta1.JsonProperty { - if src == nil { - return nil - } - jsonProperties := make([]v1beta1.JsonProperty, 0, len(src)) - for name, valueOrSelector := range src { - jsonProperties = append(jsonProperties, v1beta1.JsonProperty{ - Name: name, - Value: valueOrSelector.Value, - ValueFrom: convertSelectorTo(valueOrSelector), - }) - } - return jsonProperties -} - -func convertNamedValuesOrSelectorsFrom(src []v1beta1.JsonProperty) NamedValuesOrSelectors { - if src == nil { - return nil - } - namedValuesOrSelectors := NamedValuesOrSelectors{} - for _, jsonProperty := range src { - value := k8sruntime.RawExtension{} - if jsonProperty.ValueFrom.AuthJSON == "" { - value.Raw = jsonProperty.Value.Raw - } - namedValuesOrSelectors[jsonProperty.Name] = ValueOrSelector{ - Value: value, - Selector: jsonProperty.ValueFrom.AuthJSON, - } - } - return namedValuesOrSelectors -} - -func convertSelectorTo(src ValueOrSelector) v1beta1.ValueFrom { - return v1beta1.ValueFrom{ - AuthJSON: src.Selector, - } -} - -func convertCredentialsTo(src Credentials) v1beta1.Credentials { - var in, key string - switch src.GetType() { - case AuthorizationHeaderCredentials: - in = "authorization_header" - key = src.AuthorizationHeader.Prefix - case CustomHeaderCredentials: - in = "custom_header" - key = src.CustomHeader.Name - case QueryStringCredentials: - in = "query" - key = src.QueryString.Name - case CookieCredentials: - in = "cookie" - key = src.Cookie.Name - } - return v1beta1.Credentials{ - In: v1beta1.Credentials_In(in), - KeySelector: key, - } -} - -func convertCredentialsFrom(src v1beta1.Credentials) Credentials { - credentials := Credentials{} - switch src.In { - case "authorization_header": - credentials.AuthorizationHeader = &Prefixed{ - Prefix: src.KeySelector, - } - case "custom_header": - credentials.CustomHeader = &CustomHeader{ - Named: Named{Name: src.KeySelector}, - } - case "query": - credentials.QueryString = &Named{ - Name: src.KeySelector, - } - case "cookie": - credentials.Cookie = &Named{ - Name: src.KeySelector, - } - } - return credentials -} - -func convertAuthenticationTo(name string, src AuthenticationSpec) *v1beta1.Identity { - extendedProperties := utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Overrides)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty { - return v1beta1.ExtendedProperty{ - JsonProperty: jsonProperty, - Overwrite: true, - } - }) - extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Defaults)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty { - return v1beta1.ExtendedProperty{ - JsonProperty: jsonProperty, - Overwrite: false, - } - })...) - - identity := &v1beta1.Identity{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - Credentials: convertCredentialsTo(src.Credentials), - ExtendedProperties: extendedProperties, - } - - switch src.GetMethod() { - case ApiKeyAuthentication: - selector := *src.ApiKey.Selector - identity.APIKey = &v1beta1.Identity_APIKey{ - Selector: &selector, - AllNamespaces: src.ApiKey.AllNamespaces, - } - case JwtAuthentication: - identity.Oidc = &v1beta1.Identity_OidcConfig{ - Endpoint: src.Jwt.IssuerUrl, - TTL: src.Jwt.TTL, - } - case OAuth2TokenIntrospectionAuthentication: - credentials := *src.OAuth2TokenIntrospection.Credentials - identity.OAuth2 = &v1beta1.Identity_OAuth2Config{ - TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url, - TokenTypeHint: src.OAuth2TokenIntrospection.TokenTypeHint, - Credentials: &credentials, - } - case KubernetesTokenReviewAuthentication: - identity.KubernetesAuth = &v1beta1.Identity_KubernetesAuth{ - Audiences: src.KubernetesTokenReview.Audiences, - } - case X509ClientCertificateAuthentication: - selector := *src.X509ClientCertificate.Selector - identity.MTLS = &v1beta1.Identity_MTLS{ - Selector: &selector, - AllNamespaces: src.X509ClientCertificate.AllNamespaces, - } - case PlainIdentityAuthentication: - selector := v1beta1.Identity_Plain(v1beta1.ValueFrom{ - AuthJSON: src.Plain.Selector, - }) - identity.Plain = &selector - case AnonymousAccessAuthentication: - identity.Anonymous = &v1beta1.Identity_Anonymous{} - } - - return identity -} - -func convertAuthenticationFrom(src *v1beta1.Identity) (string, AuthenticationSpec) { - authentication := AuthenticationSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - Credentials: convertCredentialsFrom(src.Credentials), - } - - var overrides []v1beta1.JsonProperty - for _, extendedProperty := range src.ExtendedProperties { - if !extendedProperty.Overwrite { - continue - } - overrides = append(overrides, extendedProperty.JsonProperty) - } - if len(overrides) > 0 { - authentication.Overrides = ExtendedProperties(convertNamedValuesOrSelectorsFrom(overrides)) - } - - var defaults []v1beta1.JsonProperty - for _, extendedProperty := range src.ExtendedProperties { - if extendedProperty.Overwrite { - continue - } - defaults = append(defaults, extendedProperty.JsonProperty) - } - if len(defaults) > 0 { - authentication.Defaults = ExtendedProperties(convertNamedValuesOrSelectorsFrom(defaults)) - } - - switch src.GetType() { - case v1beta1.IdentityApiKey: - selector := *src.APIKey.Selector - authentication.ApiKey = &ApiKeyAuthenticationSpec{ - Selector: &selector, - AllNamespaces: src.APIKey.AllNamespaces, - } - case v1beta1.IdentityOidc: - authentication.Jwt = &JwtAuthenticationSpec{ - IssuerUrl: src.Oidc.Endpoint, - TTL: src.Oidc.TTL, - } - case v1beta1.IdentityOAuth2: - credentials := *src.OAuth2.Credentials - authentication.OAuth2TokenIntrospection = &OAuth2TokenIntrospectionSpec{ - Url: src.OAuth2.TokenIntrospectionUrl, - TokenTypeHint: src.OAuth2.TokenTypeHint, - Credentials: &credentials, - } - case v1beta1.IdentityKubernetesAuth: - authentication.KubernetesTokenReview = &KubernetesTokenReviewSpec{ - Audiences: src.KubernetesAuth.Audiences, - } - case v1beta1.IdentityMTLS: - selector := *src.MTLS.Selector - authentication.X509ClientCertificate = &X509ClientCertificateAuthenticationSpec{ - Selector: &selector, - AllNamespaces: src.MTLS.AllNamespaces, - } - case v1beta1.IdentityPlain: - authentication.Plain = &PlainIdentitySpec{ - Selector: src.Plain.AuthJSON, - } - case v1beta1.IdentityAnonymous: - authentication.AnonymousAccess = &AnonymousAccessSpec{} - } - - return src.Name, authentication -} - -func convertMetadataTo(name string, src MetadataSpec) *v1beta1.Metadata { - metadata := &v1beta1.Metadata{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - } - - switch src.GetMethod() { - case HttpMetadata: - metadata.GenericHTTP = convertHttpEndpointSpecTo(src.Http) - case UserInfoMetadata: - metadata.UserInfo = &v1beta1.Metadata_UserInfo{ - IdentitySource: src.UserInfo.IdentitySource, - } - case UmaResourceMetadata: - credentials := *src.Uma.Credentials - metadata.UMA = &v1beta1.Metadata_UMA{ - Endpoint: src.Uma.Endpoint, - Credentials: &credentials, - } - } - - return metadata -} - -func convertMetadataFrom(src *v1beta1.Metadata) (string, MetadataSpec) { - metadata := MetadataSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - } - - switch src.GetType() { - case v1beta1.MetadataGenericHTTP: - metadata.Http = convertHttpEndpointSpecFrom(src.GenericHTTP) - case v1beta1.MetadataUserinfo: - metadata.UserInfo = &UserInfoMetadataSpec{ - IdentitySource: src.UserInfo.IdentitySource, - } - case v1beta1.MetadataUma: - credentials := *src.UMA.Credentials - metadata.Uma = &UmaMetadataSpec{ - Endpoint: src.UMA.Endpoint, - Credentials: &credentials, - } - } - - return src.Name, metadata -} - -func convertHttpEndpointSpecTo(src *HttpEndpointSpec) *v1beta1.Metadata_GenericHTTP { - if src == nil { - return nil - } - return &v1beta1.Metadata_GenericHTTP{ - Endpoint: src.Url, - Method: convertMethodTo(src.Method), - Body: convertPtrValueOrSelectorTo(src.Body), - Parameters: convertNamedValuesOrSelectorsTo(src.Parameters), - ContentType: convertContentTypeTo(src.ContentType), - Headers: convertNamedValuesOrSelectorsTo(src.Headers), - SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), - OAuth2: convertOAuth2ClientAuthenticationTo(src.OAuth2), - Credentials: convertCredentialsTo(src.Credentials), - } -} - -func convertHttpEndpointSpecFrom(src *v1beta1.Metadata_GenericHTTP) *HttpEndpointSpec { - if src == nil { - return nil - } - return &HttpEndpointSpec{ - Url: src.Endpoint, - Method: convertMethodFrom(src.Method), - Body: convertPtrValueOrSelectorFrom(src.Body), - Parameters: convertNamedValuesOrSelectorsFrom(src.Parameters), - ContentType: convertContentTypeFrom(src.ContentType), - Headers: convertNamedValuesOrSelectorsFrom(src.Headers), - SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), - OAuth2: convertOAuth2ClientAuthenticationFrom(src.OAuth2), - Credentials: convertCredentialsFrom(src.Credentials), - } -} - -func convertMethodTo(src *HttpMethod) *v1beta1.GenericHTTP_Method { - if src == nil { - return nil - } - method := v1beta1.GenericHTTP_Method(*src) - return &method -} - -func convertMethodFrom(src *v1beta1.GenericHTTP_Method) *HttpMethod { - if src == nil { - return nil - } - method := HttpMethod(*src) - return &method -} - -func convertContentTypeTo(src HttpContentType) v1beta1.Metadata_GenericHTTP_ContentType { - return v1beta1.Metadata_GenericHTTP_ContentType(src) -} - -func convertContentTypeFrom(src v1beta1.Metadata_GenericHTTP_ContentType) HttpContentType { - return HttpContentType(src) -} - -func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta1.OAuth2ClientAuthentication { - if src == nil { - return nil - } - o := &v1beta1.OAuth2ClientAuthentication{ - TokenUrl: src.TokenUrl, - ClientId: src.ClientId, - ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret), - Scopes: src.Scopes, - ExtraParams: src.ExtraParams, - } - if src.Cache != nil { - cache := *src.Cache - o.Cache = &cache - } - return o -} - -func convertOAuth2ClientAuthenticationFrom(src *v1beta1.OAuth2ClientAuthentication) *OAuth2ClientAuthentication { - if src == nil { - return nil - } - o := &OAuth2ClientAuthentication{ - TokenUrl: src.TokenUrl, - ClientId: src.ClientId, - ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret), - Scopes: src.Scopes, - ExtraParams: src.ExtraParams, - } - if src.Cache != nil { - cache := *src.Cache - o.Cache = &cache - } - return o -} - -func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta1.SecretKeyReference { - if src == nil { - return nil - } - return &v1beta1.SecretKeyReference{ - Name: src.Name, - Key: src.Key, - } -} - -func convertSecretKeyReferenceFrom(src *v1beta1.SecretKeyReference) *SecretKeyReference { - if src == nil { - return nil - } - return &SecretKeyReference{ - Name: src.Name, - Key: src.Key, - } -} - -func convertAuthorizationTo(name string, src AuthorizationSpec) *v1beta1.Authorization { - authorization := &v1beta1.Authorization{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - } - - switch src.GetMethod() { - case PatternMatchingAuthorization: - authorization.JSON = &v1beta1.Authorization_JSONPatternMatching{ - Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefTo), - } - case OpaAuthorization: - authorization.OPA = &v1beta1.Authorization_OPA{ - InlineRego: src.Opa.Rego, - ExternalRegistry: convertOpaExternalRegistryTo(src.Opa.External), - AllValues: src.Opa.AllValues, - } - case KubernetesSubjectAccessReviewAuthorization: - authorization.KubernetesAuthz = &v1beta1.Authorization_KubernetesAuthz{ - Groups: src.KubernetesSubjectAccessReview.Groups, - ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesSubjectAccessReview.ResourceAttributes), - } - if src.KubernetesSubjectAccessReview.User != nil { - authorization.KubernetesAuthz.User = convertValueOrSelectorTo(*src.KubernetesSubjectAccessReview.User) - } - case SpiceDBAuthorization: - authorization.Authzed = &v1beta1.Authorization_Authzed{ - Endpoint: src.SpiceDB.Endpoint, - Insecure: src.SpiceDB.Insecure, - SharedSecret: convertSecretKeyReferenceTo(src.SpiceDB.SharedSecret), - Subject: spiceDBObjectTo(src.SpiceDB.Subject), - Resource: spiceDBObjectTo(src.SpiceDB.Resource), - Permission: convertValueOrSelectorTo(src.SpiceDB.Permission), - } - } - - return authorization -} - -func convertAuthorizationFrom(src *v1beta1.Authorization) (string, AuthorizationSpec) { - authorization := AuthorizationSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - } - - switch src.GetType() { - case v1beta1.AuthorizationJSONPatternMatching: - authorization.PatternMatching = &PatternMatchingAuthorizationSpec{ - Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefFrom), - } - case v1beta1.AuthorizationOPA: - authorization.Opa = &OpaAuthorizationSpec{ - Rego: src.OPA.InlineRego, - External: convertOpaExternalRegistryFrom(src.OPA.ExternalRegistry), - AllValues: src.OPA.AllValues, - } - case v1beta1.AuthorizationKubernetesAuthz: - authorization.KubernetesSubjectAccessReview = &KubernetesSubjectAccessReviewAuthorizationSpec{ - User: convertPtrValueOrSelectorFrom(&src.KubernetesAuthz.User), - Groups: src.KubernetesAuthz.Groups, - ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesAuthz.ResourceAttributes), - } - case v1beta1.AuthorizationAuthzed: - authorization.SpiceDB = &SpiceDBAuthorizationSpec{ - Endpoint: src.Authzed.Endpoint, - Insecure: src.Authzed.Insecure, - SharedSecret: convertSecretKeyReferenceFrom(src.Authzed.SharedSecret), - Subject: spiceDBObjectFrom(src.Authzed.Subject), - Resource: spiceDBObjectFrom(src.Authzed.Resource), - Permission: convertValueOrSelectorFrom(src.Authzed.Permission), - } - } - - return src.Name, authorization -} - -func convertOpaExternalRegistryTo(src *ExternalOpaPolicy) v1beta1.ExternalRegistry { - if src == nil { - return v1beta1.ExternalRegistry{} - } - return v1beta1.ExternalRegistry{ - Endpoint: src.Url, - SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret), - Credentials: convertCredentialsTo(src.Credentials), - TTL: src.TTL, - } -} - -func convertOpaExternalRegistryFrom(src v1beta1.ExternalRegistry) *ExternalOpaPolicy { - if src.Endpoint == "" { - return nil - } - return &ExternalOpaPolicy{ - HttpEndpointSpec: &HttpEndpointSpec{ - Url: src.Endpoint, - SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret), - Credentials: convertCredentialsFrom(src.Credentials), - }, - TTL: src.TTL, - } -} - -func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *KubernetesSubjectAccessReviewResourceAttributesSpec) *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes { - if src == nil { - return nil - } - return &v1beta1.Authorization_KubernetesAuthz_ResourceAttributes{ - Namespace: convertValueOrSelectorTo(src.Namespace), - Group: convertValueOrSelectorTo(src.Group), - Resource: convertValueOrSelectorTo(src.Resource), - Name: convertValueOrSelectorTo(src.Name), - SubResource: convertValueOrSelectorTo(src.SubResource), - Verb: convertValueOrSelectorTo(src.Verb), - } -} - -func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes) *KubernetesSubjectAccessReviewResourceAttributesSpec { - if src == nil { - return nil - } - return &KubernetesSubjectAccessReviewResourceAttributesSpec{ - Namespace: convertValueOrSelectorFrom(src.Namespace), - Group: convertValueOrSelectorFrom(src.Group), - Resource: convertValueOrSelectorFrom(src.Resource), - Name: convertValueOrSelectorFrom(src.Name), - SubResource: convertValueOrSelectorFrom(src.SubResource), - Verb: convertValueOrSelectorFrom(src.Verb), - } -} - -func spiceDBObjectTo(src *SpiceDBObject) *v1beta1.AuthzedObject { - if src == nil { - return nil - } - return &v1beta1.AuthzedObject{ - Kind: convertValueOrSelectorTo(src.Kind), - Name: convertValueOrSelectorTo(src.Name), - } -} - -func spiceDBObjectFrom(src *v1beta1.AuthzedObject) *SpiceDBObject { - if src == nil { - return nil - } - return &SpiceDBObject{ - Kind: convertValueOrSelectorFrom(src.Kind), - Name: convertValueOrSelectorFrom(src.Name), - } -} - -func convertSuccessResponseTo(name string, src SuccessResponseSpec, wrapper string) *v1beta1.Response { - response := &v1beta1.Response{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - Cache: convertEvaluatorCachingTo(src.Cache), - Wrapper: v1beta1.Response_Wrapper(wrapper), - WrapperKey: src.Key, - } - - switch src.GetMethod() { - case PlainAuthResponse: - selector := v1beta1.Response_Plain(convertValueOrSelectorTo(ValueOrSelector(*src.Plain))) - response.Plain = &selector - case JsonAuthResponse: - response.JSON = &v1beta1.Response_DynamicJSON{ - Properties: convertNamedValuesOrSelectorsTo(src.Json.Properties), - } - case WristbandAuthResponse: - response.Wristband = &v1beta1.Response_Wristband{ - Issuer: src.Wristband.Issuer, - CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims), - } - if src.Wristband.TokenDuration != nil { - duration := *src.Wristband.TokenDuration - response.Wristband.TokenDuration = &duration - } - for _, keySrc := range src.Wristband.SigningKeyRefs { - if keySrc == nil { - continue - } - key := v1beta1.SigningKeyRef{ - Name: keySrc.Name, - Algorithm: v1beta1.SigningKeyAlgorithm(keySrc.Algorithm), - } - response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key) - } - } - - return response -} - -func convertSuccessResponseFrom(src *v1beta1.Response) (string, SuccessResponseSpec) { - response := SuccessResponseSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - Cache: convertEvaluatorCachingFrom(src.Cache), - }, - Key: src.WrapperKey, - } - - switch src.GetType() { - case v1beta1.ResponsePlain: - selector := PlainAuthResponseSpec(convertValueOrSelectorFrom(v1beta1.StaticOrDynamicValue(*src.Plain))) - response.Plain = &selector - case v1beta1.ResponseDynamicJSON: - response.Json = &JsonAuthResponseSpec{ - Properties: convertNamedValuesOrSelectorsFrom(src.JSON.Properties), - } - case v1beta1.ResponseWristband: - response.Wristband = &WristbandAuthResponseSpec{ - Issuer: src.Wristband.Issuer, - CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims), - } - if src.Wristband.TokenDuration != nil { - duration := *src.Wristband.TokenDuration - response.Wristband.TokenDuration = &duration - } - for _, keySrc := range src.Wristband.SigningKeyRefs { - if keySrc == nil { - continue - } - key := &WristbandSigningKeyRef{ - Name: keySrc.Name, - Algorithm: WristbandSigningKeyAlgorithm(keySrc.Algorithm), - } - response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key) - } - } - - return src.Name, response -} - -func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta1.DenyWithSpec { - if src == nil { - return nil - } - return &v1beta1.DenyWithSpec{ - Code: v1beta1.DenyWith_Code(src.Code), - Headers: convertNamedValuesOrSelectorsTo(src.Headers), - Message: convertPtrValueOrSelectorTo(src.Message), - Body: convertPtrValueOrSelectorTo(src.Body), - } -} - -func convertDenyWithSpecFrom(src *v1beta1.DenyWithSpec) *DenyWithSpec { - if src == nil { - return nil - } - return &DenyWithSpec{ - Code: DenyWithCode(src.Code), - Headers: convertNamedValuesOrSelectorsFrom(src.Headers), - Message: convertPtrValueOrSelectorFrom(src.Message), - Body: convertPtrValueOrSelectorFrom(src.Body), - } -} - -func convertCallbackTo(name string, src CallbackSpec) *v1beta1.Callback { - callback := &v1beta1.Callback{ - Name: name, - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo), - } - - switch src.GetMethod() { - case HttpCallback: - callback.HTTP = convertHttpEndpointSpecTo(src.Http) - } - - return callback -} - -func convertCallbackFrom(src *v1beta1.Callback) (string, CallbackSpec) { - callback := CallbackSpec{ - CommonEvaluatorSpec: CommonEvaluatorSpec{ - Priority: src.Priority, - Metrics: src.Metrics, - Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom), - }, - } - - switch src.GetType() { - case v1beta1.CallbackHTTP: - callback.Http = convertHttpEndpointSpecFrom(src.HTTP) - } - - return src.Name, callback -} - -func convertStatusTo(src AuthConfigStatus) v1beta1.AuthConfigStatus { - return v1beta1.AuthConfigStatus{ - Conditions: utils.Map(src.Conditions, func(conditionSrc AuthConfigStatusCondition) v1beta1.Condition { - condition := v1beta1.Condition{ - Type: v1beta1.ConditionType(conditionSrc.Type), - Status: conditionSrc.Status, - LastTransitionTime: conditionSrc.LastTransitionTime, - Reason: conditionSrc.Reason, - Message: conditionSrc.Message, - } - if conditionSrc.LastUpdatedTime != nil { - time := *conditionSrc.LastUpdatedTime - condition.LastUpdatedTime = &time - } - return condition - }), - Summary: convertStatusSummaryTo(src.Summary), - } -} - -func convertStatusFrom(src v1beta1.AuthConfigStatus) AuthConfigStatus { - return AuthConfigStatus{ - Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta1.Condition) AuthConfigStatusCondition { - condition := AuthConfigStatusCondition{ - Type: StatusConditionType(conditionSrc.Type), - Status: conditionSrc.Status, - LastTransitionTime: conditionSrc.LastTransitionTime, - Reason: conditionSrc.Reason, - Message: conditionSrc.Message, - } - if conditionSrc.LastUpdatedTime != nil { - time := *conditionSrc.LastUpdatedTime - condition.LastUpdatedTime = &time - } - return condition - }), - Summary: convertStatusSummaryFrom(src.Summary), - } -} - -func convertStatusSummaryTo(src AuthConfigStatusSummary) v1beta1.Summary { - hostsReady := make([]string, len(src.HostsReady)) - copy(hostsReady, src.HostsReady) - - return v1beta1.Summary{ - Ready: src.Ready, - HostsReady: hostsReady, - NumHostsReady: src.NumHostsReady, - NumIdentitySources: src.NumIdentitySources, - NumMetadataSources: src.NumMetadataSources, - NumAuthorizationPolicies: src.NumAuthorizationPolicies, - NumResponseItems: src.NumResponseItems, - FestivalWristbandEnabled: src.FestivalWristbandEnabled, - } -} - -func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary { - hostsReady := make([]string, len(src.HostsReady)) - copy(hostsReady, src.HostsReady) - - return AuthConfigStatusSummary{ - Ready: src.Ready, - HostsReady: hostsReady, - NumHostsReady: src.NumHostsReady, - NumIdentitySources: src.NumIdentitySources, - NumMetadataSources: src.NumMetadataSources, - NumAuthorizationPolicies: src.NumAuthorizationPolicies, - NumResponseItems: src.NumResponseItems, - FestivalWristbandEnabled: src.FestivalWristbandEnabled, - } -} - -*/ From 187bf1dee2739d28a0fbf140b4d0723bbfcf2b6e Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 10:59:04 -0400 Subject: [PATCH 11/31] Updated test Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_conversion.go | 1 + .../auth_config_conversion_test.go | 36 +- .../authorino.kuadrant.io_authconfigs.yaml | 2780 +++++++++------- install/manifests.yaml | 2926 ++++++++++------- install/rbac/role.yaml | 147 + 5 files changed, 3523 insertions(+), 2367 deletions(-) rename api/{v1beta2 => v1beta1}/auth_config_conversion_test.go (99%) diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go index 78a2e5dd..f60ec485 100644 --- a/api/v1beta1/auth_config_conversion.go +++ b/api/v1beta1/auth_config_conversion.go @@ -2,6 +2,7 @@ package v1beta1 import ( "encoding/json" + "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/utils" "github.com/tidwall/gjson" diff --git a/api/v1beta2/auth_config_conversion_test.go b/api/v1beta1/auth_config_conversion_test.go similarity index 99% rename from api/v1beta2/auth_config_conversion_test.go rename to api/v1beta1/auth_config_conversion_test.go index 3bed4d10..f9c860a6 100644 --- a/api/v1beta2/auth_config_conversion_test.go +++ b/api/v1beta1/auth_config_conversion_test.go @@ -1,4 +1,4 @@ -package v1beta2 +package v1beta1 import ( "encoding/json" @@ -7,12 +7,23 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/kuadrant/authorino/api/v1beta1" + "github.com/kuadrant/authorino/api/v1beta2" ) func TestConvertTo(t *testing.T) { - converted := &v1beta1.AuthConfig{} - authConfig().ConvertTo(converted) + converted := &v1beta2.AuthConfig{} + config := authConfig() + config.ConvertTo(converted) + + expected := hubAuthConfig() + if !reflect.DeepEqual(expected, converted) { + t.Error(cmp.Diff(expected, converted)) + } +} + +func TestConvertFrom(t *testing.T) { + converted := &AuthConfig{} + converted.ConvertFrom(hubAuthConfig()) sort.Slice(converted.Spec.Identity, func(i, j int) bool { return converted.Spec.Identity[i].Name < converted.Spec.Identity[j].Name @@ -48,23 +59,14 @@ func TestConvertTo(t *testing.T) { return converted.Spec.DenyWith.Unauthorized.Headers[i].Name < converted.Spec.DenyWith.Unauthorized.Headers[j].Name }) - expected := hubAuthConfig() - if !reflect.DeepEqual(expected, converted) { - t.Error(cmp.Diff(expected, converted)) - } -} - -func TestConvertFrom(t *testing.T) { - converted := &AuthConfig{} - converted.ConvertFrom(hubAuthConfig()) expected := authConfig() if !reflect.DeepEqual(expected, converted) { t.Error(cmp.Diff(expected, converted)) } } -func authConfig() *AuthConfig { - authConfig := &AuthConfig{} +func hubAuthConfig() *v1beta2.AuthConfig { + authConfig := &v1beta2.AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { @@ -477,8 +479,8 @@ func authConfig() *AuthConfig { return authConfig } -func hubAuthConfig() *v1beta1.AuthConfig { - authConfig := &v1beta1.AuthConfig{} +func authConfig() *AuthConfig { + authConfig := &AuthConfig{} err := json.Unmarshal([]byte(` { "metadata": { diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 288a9a2b..800f877a 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,7 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -54,19 +55,14 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -76,13 +72,13 @@ spec: service hosts. properties: authorization: - description: |- - Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. + description: Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request + be successful in the authorization phase. items: - description: |- - Authorization policy to be enforced. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". + description: 'Authorization policy to be enforced. Apart from "name", + one of the following parameters is required and only one of the + following parameters is allowed: "opa", "json" or "kubernetes".' properties: authzed: description: Authzed authorization @@ -105,12 +101,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -131,12 +130,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -153,12 +157,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -197,12 +206,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -219,12 +233,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -233,14 +252,14 @@ spec: - endpoint type: object cache: - description: |- - Caching options for the policy evaluation results when enforcing this config. - Omit it to avoid caching policy evaluation results for this config. + description: Caching options for the policy evaluation results + when enforcing this config. Omit it to avoid caching policy + evaluation results for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -249,12 +268,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -289,9 +311,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to + the content fetched from the authorization JSON, + for comparison with "value". Possible values are: + "eq" (equal to), "neq" (not equal to), "incl" (includes; + for arrays), "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -303,14 +328,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input + authorization JSON built by Authorino along the + identity and metadata phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -318,8 +345,7 @@ spec: - rules type: object kubernetes: - description: |- - Kubernetes authorization policy based on `SubjectAccessReview` + description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -328,9 +354,10 @@ spec: type: string type: array resourceAttributes: - description: |- - Use ResourceAttributes for checking permissions on Kubernetes resources - If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. + description: Use ResourceAttributes for checking permissions + on Kubernetes resources If omitted, it performs a non-resource + `SubjectAccessReview`, with verb and path inferred from + the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -345,12 +372,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -367,12 +399,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -389,12 +426,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -411,12 +453,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -433,12 +480,17 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object @@ -455,20 +507,25 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from + the authorization JSON. It can be any path + pattern to fetch from the authorization JSON + (e.g. ''context.request.http.host'') or a + string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object type: object type: object user: - description: |- - User to test for. - If without "Groups", then is it interpreted as "What if User were not a member of any groups" + description: User to test for. If without "Groups", then + is it interpreted as "What if User were not a member of + any groups" properties: value: description: Static value @@ -477,12 +534,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -495,27 +555,30 @@ spec: individual observability metrics type: boolean name: - description: |- - Name of the authorization policy. - It can be used to refer to the resolved authorization object in other configs. + description: Name of the authorization policy. It can be used + to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules in the + virtual document. Values can be read in subsequent evaluators/phases + of the Auth Pipeline. Otherwise, only the default `allow` + rule will be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation (policy + precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be + passed in the request to the service. If omitted, + it defaults to client credentials passed in the HTTP + Authorization header and the "Bearer" prefix expected + prepended to the secret value. properties: in: default: authorization_header @@ -529,24 +592,32 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value + is the prefix of the client credentials string, + separated by a white-space, in the HTTP Authorization + header (e.g. "Bearer", "Basic"). When used with + `custom_header`, `query` or `cookie`, the value + is the name of the HTTP header, query string parameter + or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or application/json content-type. - In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or + application/json content-type. In the latter case, + the JSON returned in the body must include a path + `result.raw`, where the raw Rego policy will be extracted + from. This complies with the specification of the + OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin + of the request. properties: key: description: The key of the secret to select from. Must @@ -566,23 +637,24 @@ spec: type: integer type: object inlineRego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, + set by Authorino to "false" by default (i.e. requests + are unauthorized unless changed). The Rego document must + NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this authorization policy. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this authorization + policy. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -600,9 +672,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -614,14 +688,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -630,9 +706,8 @@ spec: type: object type: array callbacks: - description: |- - List of callback configs. - Authorino sends callbacks to specified endpoints at the end of the auth pipeline. + description: List of callback configs. Authorino sends callbacks to + specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -641,10 +716,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -653,20 +728,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -679,12 +758,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -693,17 +776,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -717,20 +803,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -746,12 +835,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -760,9 +853,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -773,9 +867,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -818,10 +912,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -844,21 +938,20 @@ spec: observability metrics type: boolean name: - description: |- - Name of the callback. - It can be used to refer to the resolved callback response in other configs. + description: Name of the callback. It can be used to refer to + the resolved callback response in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to perform this callback. + description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to + be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -876,9 +969,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -890,14 +985,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -924,12 +1021,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -955,12 +1055,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -977,12 +1080,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1001,12 +1107,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1032,12 +1141,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1054,32 +1166,37 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: - description: |- - The list of public host names of the services protected by this authentication/authorization scheme. - Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. + description: The list of public host names of the services protected + by this authentication/authorization scheme. Authorino uses the + requested host to lookup for the corresponding authentication/authorization + configs to enforce. items: type: string type: array identity: - description: |- - List of identity sources/authentication modes. - At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. + description: List of identity sources/authentication modes. At least + one config of this list MUST evaluate to a valid identity for a + request to be successful in the identity verification phase. items: - description: |- - The identity source/authentication mode config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". + description: 'The identity source/authentication mode config. Apart + from "name", one of the following parameters is required and only + one of the following parameters is allowed: "oicd", "apiKey" or + "kubernetes".' properties: anonymous: type: object @@ -1087,9 +1204,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API key secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1100,8 +1218,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1109,16 +1227,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1130,25 +1249,25 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object cache: - description: |- - Caching options for the identity resolved when applying this config. - Omit it to avoid caching identity objects for this config. + description: Caching options for the identity resolved when + applying this config. Omit it to avoid caching identity objects + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1157,12 +1276,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1175,9 +1297,11 @@ spec: - key type: object credentials: - description: |- - Defines where client credentials are required to be passed in the request for this identity source/authentication mode. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). + description: Defines where client credentials are required to + be passed in the request for this identity source/authentication + mode. If omitted, it defaults to client credentials passed + in the HTTP Authorization header and the "Bearer" prefix expected + prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1191,18 +1315,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the + prefix of the client credentials string, separated by + a white-space, in the HTTP Authorization header (e.g. + "Bearer", "Basic"). When used with `custom_header`, `query` + or `cookie`, the value is the name of the HTTP header, + query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: |- - Extends the resolved identity object with additional custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. + description: Extends the resolved identity object with additional + custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the + JSON type 'object'. Other JSON types (array, string, etc) + will break. items: properties: name: @@ -1220,12 +1349,15 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: @@ -1235,9 +1367,11 @@ spec: kubernetes: properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that must be + claimed in a Kubernetes authentication token supplied + in the request, and reviewed by Authorino. If omitted, + Authorino will review tokens expecting the host name of + the requested protected service amongst the audiences. items: type: string type: array @@ -1251,9 +1385,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS secrets + in all namespaces or only in the same namespace as the + AuthConfig. Enabling this option in namespaced Authorino + instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1264,8 +1399,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1273,16 +1408,17 @@ spec: applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1294,21 +1430,21 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object - x-kubernetes-map-type: atomic required: - selector type: object name: - description: |- - The name of this identity source/authentication mode. - It usually identifies a source of identities or group of users/clients of the protected service. - It can be used to refer to the resolved identity object in other configs. + description: The name of this identity source/authentication + mode. It usually identifies a source of identities or group + of users/clients of the protected service. It can be used + to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1318,19 +1454,15 @@ spec: server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1340,10 +1472,14 @@ spec: oidc: properties: endpoint: - description: |- - Endpoint of the OIDC issuer. - Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: Endpoint of the OIDC issuer. Authorino will + append to this value the well-known path to the OpenID + Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), + used to automatically discover the OpenID Connect configuration, + whose set of claims is expected to include (among others) + the "jkws_uri" claim. The value must coincide with the + value of the "iss" (issuer) claim of the discovered OpenID + Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1355,25 +1491,28 @@ spec: plain: properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the authorization + JSON (e.g. ''context.request.http.host'') or a string + template with variable placeholders that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any patterns supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. The following string modifiers are available: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this identity config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this identity + config. If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -1391,9 +1530,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1405,14 +1546,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1421,23 +1564,22 @@ spec: type: object type: array metadata: - description: |- - List of metadata source configs. - Authorino fetches JSON content from sources on this list on every request. + description: List of metadata source configs. Authorino fetches JSON + content from sources on this list on every request. items: - description: |- - The metadata config. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". + description: 'The metadata config. Apart from "name", one of the + following parameters is required and only one of the following + parameters is allowed: "http", userInfo" or "uma".' properties: cache: - description: |- - Caching options for the external metadata fetched when applying this config. - Omit it to avoid caching metadata from this source. + description: Caching options for the external metadata fetched + when applying this config. Omit it to avoid caching metadata + from this source. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1446,12 +1588,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1468,10 +1613,10 @@ spec: metadata from a HTTP service. properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes 'bodyParameters'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string in the + 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1480,20 +1625,24 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the body of + the HTTP request. Superseded by 'body'; use either one + or the other. Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' (placeholders + can be used). items: properties: name: @@ -1506,12 +1655,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1520,17 +1673,20 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes how + 'bodyParameters' are encoded. Use it with method=POST; + for GET requests, Content-Type is automatically set to + 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will be passed + in the request to the service. If omitted, it defaults + to client credentials passed in the HTTP Authorization + header and the "Bearer" prefix expected prepended to the + secret value. properties: in: default: authorization_header @@ -1544,20 +1700,23 @@ spec: - cookie type: string keySelector: - description: |- - Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). - When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. + description: Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is + the prefix of the client credentials string, separated + by a white-space, in the HTTP Authorization header + (e.g. "Bearer", "Basic"). When used with `custom_header`, + `query` or `cookie`, the value is the name of the + HTTP header, query string parameter or cookie key, + respectively. type: string required: - keySelector type: object endpoint: - description: |- - Endpoint of the HTTP service. - The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. - E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: Endpoint of the HTTP service. The endpoint + accepts variable placeholders in the format "{selector}", + where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1573,12 +1732,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1587,9 +1750,10 @@ spec: type: array method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the service. + Accepted values: GET (default), POST. When the request + method is POST, the authorization JSON is passed in the + body of the request.' enum: - GET - POST @@ -1600,9 +1764,9 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until expired. + Set it to false to force fetch the token at every + authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1645,10 +1809,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value will + be passed by Authorino in the request. The HTTP service + can use the shared secret to authenticate the origin of + the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1671,15 +1835,14 @@ spec: observability metrics type: boolean name: - description: |- - The name of the metadata source. - It can be used to refer to the resolved metadata object in other configs. + description: The name of the metadata source. It can be used + to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1690,17 +1853,14 @@ spec: registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object - x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The value must + coincide with the "issuer" claim of the UMA config discovered + from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1719,10 +1879,10 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to apply this metadata config. - If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. + description: Conditions for Authorino to apply this metadata + config. If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be + applied; otherwise, the config will be skipped. items: properties: all: @@ -1740,9 +1900,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1754,14 +1916,16 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -1774,9 +1938,11 @@ spec: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the content + fetched from the authorization JSON, for comparison with + "value". Possible values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1785,14 +1951,16 @@ spec: - matches type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison with + the content fetched from the authorization JSON. If used + with the "matches" operator, the value must compile to a + valid Golang regex. type: string type: object type: array @@ -1800,23 +1968,22 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: |- - List of response configs. - Authorino gathers data from the auth pipeline to build custom responses for the client. + description: List of response configs. Authorino gathers data from + the auth pipeline to build custom responses for the client. items: - description: |- - Dynamic response to return to the client. - Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". + description: 'Dynamic response to return to the client. Apart from + "name", one of the following parameters is required and only one + of the following parameters is allowed: "wristband" or "json".' properties: cache: - description: |- - Caching options for dynamic responses built when applying this config. - Omit it to avoid caching dynamic responses for this config. + description: Caching options for dynamic responses built when + applying this config. Omit it to avoid caching dynamic responses + for this config. properties: key: - description: |- - Key used to store the entry in the cache. - Cache entries from different metadata configs are stored and managed separately regardless of the key. + description: Key used to store the entry in the cache. Cache + entries from different metadata configs are stored and + managed separately regardless of the key. properties: value: description: Static value @@ -1825,12 +1992,15 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are + available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object @@ -1859,12 +2029,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -1880,9 +2054,8 @@ spec: observability metrics type: boolean name: - description: |- - Name of the custom response. - It can be used to refer to the resolved response object in other configs. + description: Name of the custom response. It can be used to + refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -1896,26 +2069,29 @@ spec: description: Dynamic value properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the authorization + JSON. It can be any path pattern to fetch from the + authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers are available: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs in the + same priority group are evaluated concurrently; consecutive + priority groups are evaluated sequentially. type: integer when: - description: |- - Conditions for Authorino to enforce this custom response config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this custom + response config. If omitted, the config will be enforced for + all requests. If present, all conditions must match for the + config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1933,9 +2109,11 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -1947,30 +2125,32 @@ spec: description: Name of a named pattern type: string selector: - description: |- - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. + description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization + JSON built by Authorino along the identity and metadata + phases. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: |- - How Authorino wraps the response. - Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata + description: How Authorino wraps the response. Use "httpHeader" + (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" + to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: |- - The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). - If omitted, it will be set to the name of the configuration. + description: The name of key used in the wrapped response (name + of the HTTP header or property of the Envoy Dynamic Metadata + JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -1990,12 +2170,16 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: |- - Selector to fetch a value from the authorization JSON. - It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') - or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Selector to fetch a value from the + authorization JSON. It can be any path pattern + to fetch from the authorization JSON (e.g. ''context.request.http.host'') + or a string template with variable placeholders + that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following string modifiers + are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and + @strip.' type: string type: object required: @@ -2008,9 +2192,10 @@ spec: where = / = / = / = / = / = / Date: Mon, 26 Aug 2024 15:24:43 -0400 Subject: [PATCH 12/31] Newer manifests Signed-off-by: Alex Snaps --- .../authorino.kuadrant.io_authconfigs.yaml | 2780 +++++++---------- install/manifests.yaml | 2780 +++++++---------- install/rbac/role.yaml | 1 - 3 files changed, 2350 insertions(+), 3211 deletions(-) diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 800f877a..288a9a2b 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: authconfigs.authorino.kuadrant.io spec: group: authorino.kuadrant.io @@ -55,14 +54,19 @@ spec: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,13 +76,13 @@ spec: service hosts. properties: authorization: - description: Authorization is the list of authorization policies. - All policies in this list MUST evaluate to "true" for a request - be successful in the authorization phase. + description: |- + Authorization is the list of authorization policies. + All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. items: - description: 'Authorization policy to be enforced. Apart from "name", - one of the following parameters is required and only one of the - following parameters is allowed: "opa", "json" or "kubernetes".' + description: |- + Authorization policy to be enforced. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes". properties: authzed: description: Authzed authorization @@ -101,15 +105,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -130,17 +131,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -157,17 +153,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -206,17 +197,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -233,17 +219,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -252,14 +233,14 @@ spec: - endpoint type: object cache: - description: Caching options for the policy evaluation results - when enforcing this config. Omit it to avoid caching policy - evaluation results for this config. + description: |- + Caching options for the policy evaluation results when enforcing this config. + Omit it to avoid caching policy evaluation results for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -268,15 +249,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -311,12 +289,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to - the content fetched from the authorization JSON, - for comparison with "value". Possible values are: - "eq" (equal to), "neq" (not equal to), "incl" (includes; - for arrays), "excl" (excludes; for arrays), "matches" - (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -328,16 +303,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input - authorization JSON built by Authorino along the - identity and metadata phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization - JSON. If used with the "matches" operator, the value - must compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -345,7 +318,8 @@ spec: - rules type: object kubernetes: - description: Kubernetes authorization policy based on `SubjectAccessReview` + description: |- + Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: @@ -354,10 +328,9 @@ spec: type: string type: array resourceAttributes: - description: Use ResourceAttributes for checking permissions - on Kubernetes resources If omitted, it performs a non-resource - `SubjectAccessReview`, with verb and path inferred from - the request. + description: |- + Use ResourceAttributes for checking permissions on Kubernetes resources + If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. properties: group: description: StaticOrDynamicValue is either a constant @@ -372,17 +345,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -399,17 +367,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -426,17 +389,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -453,17 +411,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -480,17 +433,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -507,25 +455,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from - the authorization JSON. It can be any path - pattern to fetch from the authorization JSON - (e.g. ''context.request.http.host'') or a - string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object user: - description: User to test for. If without "Groups", then - is it interpreted as "What if User were not a member of - any groups" + description: |- + User to test for. + If without "Groups", then is it interpreted as "What if User were not a member of any groups" properties: value: description: Static value @@ -534,15 +477,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -555,30 +495,27 @@ spec: individual observability metrics type: boolean name: - description: Name of the authorization policy. It can be used - to refer to the resolved authorization object in other configs. + description: |- + Name of the authorization policy. + It can be used to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false - description: Returns the value of all Rego rules in the - virtual document. Values can be read in subsequent evaluators/phases - of the Auth Pipeline. Otherwise, only the default `allow` - rule will be exposed. Returning all Rego rules can affect - performance of OPA policies during reconciliation (policy - precompile) and at runtime. + description: |- + Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will be exposed. + Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: - description: Defines where client credentials will be - passed in the request to the service. If omitted, - it defaults to client credentials passed in the HTTP - Authorization header and the "Bearer" prefix expected - prepended to the secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -592,32 +529,24 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value - is the prefix of the client credentials string, - separated by a white-space, in the HTTP Authorization - header (e.g. "Bearer", "Basic"). When used with - `custom_header`, `query` or `cookie`, the value - is the name of the HTTP header, query string parameter - or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP external registry. - The endpoint must respond with either plain/text or - application/json content-type. In the latter case, - the JSON returned in the body must include a path - `result.raw`, where the raw Rego policy will be extracted - from. This complies with the specification of the - OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). + description: |- + Endpoint of the HTTP external registry. + The endpoint must respond with either plain/text or application/json content-type. + In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin - of the request. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: description: The key of the secret to select from. Must @@ -637,24 +566,23 @@ spec: type: integer type: object inlineRego: - description: Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, - set by Authorino to "false" by default (i.e. requests - are unauthorized unless changed). The Rego document must - NOT include the "package" declaration in line 1. + description: |- + Authorization policy as a Rego language document. + The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this authorization - policy. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this authorization policy. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -672,11 +600,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -688,16 +614,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -706,8 +630,9 @@ spec: type: object type: array callbacks: - description: List of callback configs. Authorino sends callbacks to - specified endpoints at the end of the auth pipeline. + description: |- + List of callback configs. + Authorino sends callbacks to specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: @@ -716,10 +641,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -728,24 +653,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -758,16 +679,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -776,20 +693,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -803,23 +717,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -835,16 +746,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -853,10 +760,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -867,9 +773,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -912,10 +818,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -938,20 +844,21 @@ spec: observability metrics type: boolean name: - description: Name of the callback. It can be used to refer to - the resolved callback response in other configs. + description: |- + Name of the callback. + It can be used to refer to the resolved callback response in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to perform this callback. + description: |- + Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. - If present, all conditions must match for the callback to - be attempted; otherwise, the callback will be skipped. + If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. items: properties: all: @@ -969,11 +876,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -985,16 +890,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1021,15 +924,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1055,15 +955,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1080,15 +977,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1107,15 +1001,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1141,15 +1032,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1166,37 +1054,32 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object type: object type: object hosts: - description: The list of public host names of the services protected - by this authentication/authorization scheme. Authorino uses the - requested host to lookup for the corresponding authentication/authorization - configs to enforce. + description: |- + The list of public host names of the services protected by this authentication/authorization scheme. + Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. items: type: string type: array identity: - description: List of identity sources/authentication modes. At least - one config of this list MUST evaluate to a valid identity for a - request to be successful in the identity verification phase. + description: |- + List of identity sources/authentication modes. + At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. items: - description: 'The identity source/authentication mode config. Apart - from "name", one of the following parameters is required and only - one of the following parameters is allowed: "oicd", "apiKey" or - "kubernetes".' + description: |- + The identity source/authentication mode config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes". properties: anonymous: type: object @@ -1204,10 +1087,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for API key secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1218,8 +1100,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1227,17 +1109,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1249,25 +1130,25 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object cache: - description: Caching options for the identity resolved when - applying this config. Omit it to avoid caching identity objects - for this config. + description: |- + Caching options for the identity resolved when applying this config. + Omit it to avoid caching identity objects for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1276,15 +1157,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1297,11 +1175,9 @@ spec: - key type: object credentials: - description: Defines where client credentials are required to - be passed in the request for this identity source/authentication - mode. If omitted, it defaults to client credentials passed - in the HTTP Authorization header and the "Bearer" prefix expected - prepended to the credentials value (token, API key, etc). + description: |- + Defines where client credentials are required to be passed in the request for this identity source/authentication mode. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header @@ -1315,23 +1191,18 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is the - prefix of the client credentials string, separated by - a white-space, in the HTTP Authorization header (e.g. - "Bearer", "Basic"). When used with `custom_header`, `query` - or `cookie`, the value is the name of the HTTP header, - query string parameter or cookie key, respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: - description: Extends the resolved identity object with additional - custom properties before appending to the authorization JSON. - It requires the resolved identity object to always be of the - JSON type 'object'. Other JSON types (array, string, etc) - will break. + description: |- + Extends the resolved identity object with additional custom properties before appending to the authorization JSON. + It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. items: properties: name: @@ -1349,15 +1220,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1367,11 +1235,9 @@ spec: kubernetes: properties: audiences: - description: The list of audiences (scopes) that must be - claimed in a Kubernetes authentication token supplied - in the request, and reviewed by Authorino. If omitted, - Authorino will review tokens expecting the host name of - the requested protected service amongst the audiences. + description: |- + The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. + If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array @@ -1385,10 +1251,9 @@ spec: properties: allNamespaces: default: false - description: Whether Authorino should look for TLS secrets - in all namespaces or only in the same namespace as the - AuthConfig. Enabling this option in namespaced Authorino - instances has no effect. + description: |- + Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. + Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets @@ -1399,8 +1264,8 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -1408,17 +1273,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1430,21 +1294,21 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - selector type: object name: - description: The name of this identity source/authentication - mode. It usually identifies a source of identities or group - of users/clients of the protected service. It can be used - to refer to the resolved identity object in other configs. + description: |- + The name of this identity source/authentication mode. + It usually identifies a source of identities or group of users/clients of the protected service. + It can be used to refer to the resolved identity object in other configs. type: string oauth2: properties: @@ -1454,15 +1318,19 @@ spec: server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: - description: The token type hint for the token introspection. + description: |- + The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -1472,14 +1340,10 @@ spec: oidc: properties: endpoint: - description: Endpoint of the OIDC issuer. Authorino will - append to this value the well-known path to the OpenID - Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), - used to automatically discover the OpenID Connect configuration, - whose set of claims is expected to include (among others) - the "jkws_uri" claim. The value must coincide with the - value of the "iss" (issuer) claim of the discovered OpenID - Connect configuration. + description: |- + Endpoint of the OIDC issuer. + Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. + The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: description: Decides how long to wait before refreshing @@ -1491,28 +1355,25 @@ spec: plain: properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the authorization - JSON (e.g. ''context.request.http.host'') or a string - template with variable placeholders that resolve to patterns - (e.g. "Hello, {auth.identity.name}!"). Any patterns supported - by https://pkg.go.dev/github.com/tidwall/gjson can be - used. The following string modifiers are available: @extract:{sep:" - ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, - @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this identity - config. If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be - enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this identity config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -1530,11 +1391,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1546,16 +1405,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1564,22 +1421,23 @@ spec: type: object type: array metadata: - description: List of metadata source configs. Authorino fetches JSON - content from sources on this list on every request. + description: |- + List of metadata source configs. + Authorino fetches JSON content from sources on this list on every request. items: - description: 'The metadata config. Apart from "name", one of the - following parameters is required and only one of the following - parameters is allowed: "http", userInfo" or "uma".' + description: |- + The metadata config. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma". properties: cache: - description: Caching options for the external metadata fetched - when applying this config. Omit it to avoid caching metadata - from this source. + description: |- + Caching options for the external metadata fetched when applying this config. + Omit it to avoid caching metadata from this source. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1588,15 +1446,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -1613,10 +1468,10 @@ spec: metadata from a HTTP service. properties: body: - description: Raw body of the HTTP request. Supersedes 'bodyParameters'; - use either one or the other. Use it with method=POST; - for GET requests, set parameters as query string in the - 'endpoint' (placeholders can be used). + description: |- + Raw body of the HTTP request. + Supersedes 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value @@ -1625,24 +1480,20 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object bodyParameters: - description: Custom parameters to encode in the body of - the HTTP request. Superseded by 'body'; use either one - or the other. Use it with method=POST; for GET requests, - set parameters as query string in the 'endpoint' (placeholders - can be used). + description: |- + Custom parameters to encode in the body of the HTTP request. + Superseded by 'body'; use either one or the other. + Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: @@ -1655,16 +1506,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1673,20 +1520,17 @@ spec: type: array contentType: default: application/x-www-form-urlencoded - description: Content-Type of the request body. Shapes how - 'bodyParameters' are encoded. Use it with method=POST; - for GET requests, Content-Type is automatically set to - 'text/plain'. + description: |- + Content-Type of the request body. Shapes how 'bodyParameters' are encoded. + Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: Defines where client credentials will be passed - in the request to the service. If omitted, it defaults - to client credentials passed in the HTTP Authorization - header and the "Bearer" prefix expected prepended to the - secret value. + description: |- + Defines where client credentials will be passed in the request to the service. + If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header @@ -1700,23 +1544,20 @@ spec: - cookie type: string keySelector: - description: Used in conjunction with the `in` parameter. - When used with `authorization_header`, the value is - the prefix of the client credentials string, separated - by a white-space, in the HTTP Authorization header - (e.g. "Bearer", "Basic"). When used with `custom_header`, - `query` or `cookie`, the value is the name of the - HTTP header, query string parameter or cookie key, - respectively. + description: |- + Used in conjunction with the `in` parameter. + When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). + When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: - description: Endpoint of the HTTP service. The endpoint - accepts variable placeholders in the format "{selector}", - where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson - and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} + description: |- + Endpoint of the HTTP service. + The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. @@ -1732,16 +1573,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -1750,10 +1587,9 @@ spec: type: array method: default: GET - description: 'HTTP verb used in the request to the service. - Accepted values: GET (default), POST. When the request - method is POST, the authorization JSON is passed in the - body of the request.' + description: |- + HTTP verb used in the request to the service. Accepted values: GET (default), POST. + When the request method is POST, the authorization JSON is passed in the body of the request. enum: - GET - POST @@ -1764,9 +1600,9 @@ spec: properties: cache: default: true - description: Caches and reuses the token until expired. - Set it to false to force fetch the token at every - authorization request regardless of expiration. + description: |- + Caches and reuses the token until expired. + Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1809,10 +1645,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: Reference to a Secret key whose value will - be passed by Authorino in the request. The HTTP service - can use the shared secret to authenticate the origin of - the request. Ignored if used together with oauth2. + description: |- + Reference to a Secret key whose value will be passed by Authorino in the request. + The HTTP service can use the shared secret to authenticate the origin of the request. + Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must @@ -1835,14 +1671,15 @@ spec: observability metrics type: boolean name: - description: The name of the metadata source. It can be used - to refer to the resolved metadata object in other configs. + description: |- + The name of the metadata source. + It can be used to refer to the resolved metadata object in other configs. type: string priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. @@ -1853,14 +1690,17 @@ spec: registration API of the UMA server. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object + x-kubernetes-map-type: atomic endpoint: - description: The endpoint of the UMA server. The value must - coincide with the "issuer" claim of the UMA config discovered - from the well-known uma configuration endpoint. + description: |- + The endpoint of the UMA server. + The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef @@ -1879,10 +1719,10 @@ spec: - identitySource type: object when: - description: Conditions for Authorino to apply this metadata - config. If omitted, the config will be applied for all requests. - If present, all conditions must match for the config to be - applied; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to apply this metadata config. + If omitted, the config will be applied for all requests. + If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. items: properties: all: @@ -1900,11 +1740,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1916,16 +1754,14 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1938,11 +1774,9 @@ spec: items: properties: operator: - description: 'The binary operator to be applied to the content - fetched from the authorization JSON, for comparison with - "value". Possible values are: "eq" (equal to), "neq" (not - equal to), "incl" (includes; for arrays), "excl" (excludes; - for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -1951,16 +1785,14 @@ spec: - matches type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison with - the content fetched from the authorization JSON. If used - with the "matches" operator, the value must compile to a - valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array @@ -1968,22 +1800,23 @@ spec: conditionals and in JSON-pattern matching policy rules. type: object response: - description: List of response configs. Authorino gathers data from - the auth pipeline to build custom responses for the client. + description: |- + List of response configs. + Authorino gathers data from the auth pipeline to build custom responses for the client. items: - description: 'Dynamic response to return to the client. Apart from - "name", one of the following parameters is required and only one - of the following parameters is allowed: "wristband" or "json".' + description: |- + Dynamic response to return to the client. + Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json". properties: cache: - description: Caching options for dynamic responses built when - applying this config. Omit it to avoid caching dynamic responses - for this config. + description: |- + Caching options for dynamic responses built when applying this config. + Omit it to avoid caching dynamic responses for this config. properties: key: - description: Key used to store the entry in the cache. Cache - entries from different metadata configs are stored and - managed separately regardless of the key. + description: |- + Key used to store the entry in the cache. + Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value @@ -1992,15 +1825,12 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are - available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object @@ -2029,16 +1859,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2054,8 +1880,9 @@ spec: observability metrics type: boolean name: - description: Name of the custom response. It can be used to - refer to the resolved response object in other configs. + description: |- + Name of the custom response. + It can be used to refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static @@ -2069,29 +1896,26 @@ spec: description: Dynamic value properties: authJSON: - description: 'Selector to fetch a value from the authorization - JSON. It can be any path pattern to fetch from the - authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders that - resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers are available: - @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object type: object priority: default: 0 - description: Priority group of the config. All configs in the - same priority group are evaluated concurrently; consecutive - priority groups are evaluated sequentially. + description: |- + Priority group of the config. + All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: - description: Conditions for Authorino to enforce this custom - response config. If omitted, the config will be enforced for - all requests. If present, all conditions must match for the - config to be enforced; otherwise, the config will be skipped. + description: |- + Conditions for Authorino to enforce this custom response config. + If omitted, the config will be enforced for all requests. + If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: properties: all: @@ -2109,11 +1933,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: 'The binary operator to be applied to the - content fetched from the authorization JSON, for comparison - with "value". Possible values are: "eq" (equal to), - "neq" (not equal to), "incl" (includes; for arrays), - "excl" (excludes; for arrays), "matches" (regex)' + description: |- + The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". + Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) enum: - eq - neq @@ -2125,32 +1947,30 @@ spec: description: Name of a named pattern type: string selector: - description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. - The value is used to fetch content from the input authorization - JSON built by Authorino along the identity and metadata - phases. + description: |- + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. + The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: - description: The value of reference for the comparison - with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must - compile to a valid Golang regex. + description: |- + The value of reference for the comparison with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader - description: How Authorino wraps the response. Use "httpHeader" - (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" - to wrap the response as Envoy Dynamic Metadata + description: |- + How Authorino wraps the response. + Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: - description: The name of key used in the wrapped response (name - of the HTTP header or property of the Envoy Dynamic Metadata - JSON). If omitted, it will be set to the name of the configuration. + description: |- + The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). + If omitted, it will be set to the name of the configuration. type: string wristband: properties: @@ -2170,16 +1990,12 @@ spec: description: Dynamic value of the JSON property properties: authJSON: - description: 'Selector to fetch a value from the - authorization JSON. It can be any path pattern - to fetch from the authorization JSON (e.g. ''context.request.http.host'') - or a string template with variable placeholders - that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson - can be used. The following string modifiers - are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, - @case:upper|lower, @base64:encode|decode and - @strip.' + description: |- + Selector to fetch a value from the authorization JSON. + It can be any path pattern to fetch from the authorization JSON (e.g. 'context.request.http.host') + or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. type: string type: object required: @@ -2192,10 +2008,9 @@ spec: where = / = / = / = / = / = / Date: Mon, 26 Aug 2024 17:05:27 -0400 Subject: [PATCH 13/31] Unsure now Signed-off-by: Alex Snaps --- api/v1beta1/zz_generated.deepcopy.go | 4 ++-- api/v1beta2/zz_generated.deepcopy.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index c70bb9df..3fe74ccf 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -123,7 +122,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make(JSONPatternExpressions, len(*in)) copy(*out, *in) } diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 3647917e..29171143 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -137,7 +136,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - in, out := &val, &outVal + inVal := (*in)[key] + in, out := &inVal, &outVal *out = make(PatternExpressions, len(*in)) copy(*out, *in) } From 64d1acbaabdfa4137f0e630ca26e7777da360ee4 Mon Sep 17 00:00:00 2001 From: Guilherme Cassolato Date: Tue, 27 Aug 2024 09:36:54 +0200 Subject: [PATCH 14/31] Update manifests Signed-off-by: Guilherme Cassolato --- install/manifests.yaml | 146 ----------------------------------------- install/rbac/role.yaml | 146 ----------------------------------------- 2 files changed, 292 deletions(-) diff --git a/install/manifests.yaml b/install/manifests.yaml index 84228eed..d9dd13cc 100644 --- a/install/manifests.yaml +++ b/install/manifests.yaml @@ -5029,80 +5029,6 @@ kind: ClusterRole metadata: name: authorino-manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - delete - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - authorino.kuadrant.io resources: @@ -5123,12 +5049,6 @@ rules: - get - patch - update -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - apiGroups: - coordination.k8s.io resources: @@ -5146,69 +5066,3 @@ rules: - get - list - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/finalizers - verbs: - - update -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/status - verbs: - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - create - - get - - list - - update - - watch diff --git a/install/rbac/role.yaml b/install/rbac/role.yaml index 2328df39..69520e9e 100644 --- a/install/rbac/role.yaml +++ b/install/rbac/role.yaml @@ -4,80 +4,6 @@ kind: ClusterRole metadata: name: manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - delete - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - authorino.kuadrant.io resources: @@ -98,12 +24,6 @@ rules: - get - patch - update -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - apiGroups: - coordination.k8s.io resources: @@ -121,69 +41,3 @@ rules: - get - list - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/finalizers - verbs: - - update -- apiGroups: - - operator.authorino.kuadrant.io - resources: - - authorinos/status - verbs: - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - create - - get - - list - - update - - watch From 5b676f88323179593c9c53b485055a9a1788beb0 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 28 Aug 2024 07:20:13 -0400 Subject: [PATCH 15/31] Make v1beta2 the stored version Signed-off-by: Alex Snaps --- api/v1beta1/auth_config_types.go | 1 - api/v1beta2/auth_config_types.go | 1 + install/crd/authorino.kuadrant.io_authconfigs.yaml | 4 ++-- install/manifests.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/api/v1beta1/auth_config_types.go b/api/v1beta1/auth_config_types.go index d49a059a..546272ee 100644 --- a/api/v1beta1/auth_config_types.go +++ b/api/v1beta1/auth_config_types.go @@ -784,7 +784,6 @@ func (s *AuthConfigStatus) Ready() bool { // AuthConfig is the schema for Authorino's AuthConfig API // +kubebuilder:object:root=true // +kubebuilder:subresource:status -// +kubebuilder:storageversion // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.summary.ready`,description="Ready for all hosts" // +kubebuilder:printcolumn:name="Hosts",type=string,JSONPath=`.status.summary.numHostsReady`,description="Number of hosts ready" // +kubebuilder:printcolumn:name="Authentication",type=integer,JSONPath=`.status.summary.numIdentitySources`,description="Number of trusted identity sources",priority=2 diff --git a/api/v1beta2/auth_config_types.go b/api/v1beta2/auth_config_types.go index c689e51b..098ceb05 100644 --- a/api/v1beta2/auth_config_types.go +++ b/api/v1beta2/auth_config_types.go @@ -91,6 +91,7 @@ type StatusConditionType string // AuthConfig is the schema for Authorino's AuthConfig API // +kubebuilder:object:root=true // +kubebuilder:subresource:status +// +kubebuilder:storageversion // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.summary.ready`,description="Ready for all hosts" // +kubebuilder:printcolumn:name="Hosts",type=string,JSONPath=`.status.summary.numHostsReady`,description="Number of hosts ready" // +kubebuilder:printcolumn:name="Authentication",type=integer,JSONPath=`.status.summary.numIdentitySources`,description="Number of trusted identity sources",priority=2 diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml index 288a9a2b..84a61661 100644 --- a/install/crd/authorino.kuadrant.io_authconfigs.yaml +++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml @@ -2181,7 +2181,7 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -4483,6 +4483,6 @@ spec: type: object type: object served: true - storage: false + storage: true subresources: status: {} diff --git a/install/manifests.yaml b/install/manifests.yaml index d9dd13cc..6c13cf5e 100644 --- a/install/manifests.yaml +++ b/install/manifests.yaml @@ -2425,7 +2425,7 @@ spec: type: object type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -4959,7 +4959,7 @@ spec: type: object type: object served: true - storage: false + storage: true subresources: status: {} --- From fe120779514c89e187de2ea73ea2935a6adeccf1 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Mon, 26 Aug 2024 15:23:29 -0400 Subject: [PATCH 16/31] wip Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index fd0f89e9..8bc19af8 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -22,7 +22,7 @@ import ( "sort" "sync" - api "github.com/kuadrant/authorino/api/v1beta1" + api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/auth" "github.com/kuadrant/authorino/pkg/evaluators" authorization_evaluators "github.com/kuadrant/authorino/pkg/evaluators/authorization" @@ -163,13 +163,16 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedIdentityConfigs := make([]auth.AuthConfigEvaluator, 0) ctxWithLogger = log.IntoContext(ctx, log.FromContext(ctx).WithName("identity")) - authConfigIdentityConfigs := authConfig.Spec.Identity + authConfigIdentityConfigs := authConfig.Spec.Authentication if len(authConfigIdentityConfigs) == 0 { - authConfigIdentityConfigs = append(authConfigIdentityConfigs, &api.Identity{ - Name: "anonymous", - Anonymous: &api.Identity_Anonymous{}, - }) + authConfigIdentityConfigs["anonymous"] = api.AuthenticationSpec{ + CommonEvaluatorSpec: api.CommonEvaluatorSpec{}, + Credentials: api.Credentials{}, + AuthenticationMethodSpec: api.AuthenticationMethodSpec{ + AnonymousAccess: &api.AnonymousAccessSpec{}, + }, + } } for _, identity := range authConfigIdentityConfigs { From f02f01d615594129077faafff21fbd95b3153972 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:10:14 -0400 Subject: [PATCH 17/31] wip: done with ExtendedProperties Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 114 +++++++-------- controllers/auth_config_controller_test.go | 131 ++++++++++-------- .../auth_config_status_updater_test.go | 4 +- 3 files changed, 133 insertions(+), 116 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 8bc19af8..10b04ae0 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -22,6 +22,7 @@ import ( "sort" "sync" + old "github.com/kuadrant/authorino/api/v1beta1" api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/auth" "github.com/kuadrant/authorino/pkg/evaluators" @@ -175,17 +176,23 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } } - for _, identity := range authConfigIdentityConfigs { - extendedProperties := make([]evaluators.IdentityExtension, len(identity.ExtendedProperties)) - for i, property := range identity.ExtendedProperties { - extendedProperties[i] = evaluators.NewIdentityExtension(property.Name, json.JSONValue{ + for identityCfgName, identity := range authConfigIdentityConfigs { + extendedProperties := make([]evaluators.IdentityExtension, len(identity.Defaults)+len(identity.Overrides)) + for propertyName, property := range identity.Defaults { + extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{ Static: property.Value, - Pattern: property.ValueFrom.AuthJSON, - }, property.Overwrite) + Pattern: property.Selector, + }, false)) + } + for propertyName, property := range identity.Overrides { + extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{ + Static: property.Value, + Pattern: property.Selector, + }, true)) } translatedIdentity := &evaluators.IdentityConfig{ - Name: identity.Name, + Name: identityCfgName, Priority: identity.Priority, Conditions: buildJSONExpression(authConfig, identity.Conditions, jsonexp.All), ExtendedProperties: extendedProperties, @@ -195,7 +202,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if identity.Cache != nil { ttl := identity.Cache.TTL if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + ttl = old.EvaluatorDefaultCacheTTL } translatedIdentity.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&identity.Cache.Key), @@ -207,7 +214,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf switch identity.GetType() { // oauth2 - case api.IdentityOAuth2: + case old.IdentityOAuth2: oauth2Identity := identity.OAuth2 secret := &v1.Secret{} @@ -227,11 +234,11 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) // oidc - case api.IdentityOidc: + case old.IdentityOidc: translatedIdentity.OIDC = identity_evaluators.NewOIDC(identity.Oidc.Endpoint, authCred, identity.Oidc.TTL, ctxWithLogger) // apiKey - case api.IdentityApiKey: + case old.IdentityApiKey: namespace := authConfig.Namespace if identity.APIKey.AllNamespaces && r.ClusterWide() { namespace = "" @@ -243,7 +250,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedIdentity.APIKey = identity_evaluators.NewApiKeyIdentity(identity.Name, selector, namespace, authCred, r.Client, ctxWithLogger) // MTLS - case api.IdentityMTLS: + case old.IdentityMTLS: namespace := authConfig.Namespace if identity.MTLS.AllNamespaces && r.ClusterWide() { namespace = "" @@ -255,20 +262,20 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedIdentity.MTLS = identity_evaluators.NewMTLSIdentity(identity.Name, selector, namespace, r.Client, ctxWithLogger) // kubernetes auth - case api.IdentityKubernetesAuth: + case old.IdentityKubernetesAuth: if k8sAuthConfig, err := identity_evaluators.NewKubernetesAuthIdentity(authCred, identity.KubernetesAuth.Audiences); err != nil { return nil, err } else { translatedIdentity.KubernetesAuth = k8sAuthConfig } - case api.IdentityPlain: + case old.IdentityPlain: translatedIdentity.Plain = &identity_evaluators.Plain{Pattern: identity.Plain.AuthJSON} - case api.IdentityAnonymous: + case old.IdentityAnonymous: translatedIdentity.Noop = &identity_evaluators.Noop{AuthCredentials: authCred} - case api.TypeUnknown: + case old.TypeUnknown: return nil, fmt.Errorf("unknown identity type %v", identity) } @@ -289,7 +296,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if metadata.Cache != nil { ttl := metadata.Cache.TTL if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + ttl = old.EvaluatorDefaultCacheTTL } translatedMetadata.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&metadata.Cache.Key), @@ -299,7 +306,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf switch metadata.GetType() { // uma - case api.MetadataUma: + case old.MetadataUma: secret := &v1.Secret{} if err := r.Client.Get(ctx, types.NamespacedName{ Namespace: authConfig.Namespace, @@ -319,7 +326,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // user_info - case api.MetadataUserinfo: + case old.MetadataUserinfo: translatedMetadata.UserInfo = &metadata_evaluators.UserInfo{} if idConfig, err := findIdentityConfigByName(identityConfigs, metadata.UserInfo.IdentitySource); err != nil { @@ -329,14 +336,14 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // generic http - case api.MetadataGenericHTTP: + case old.MetadataGenericHTTP: ev, err := r.buildGenericHttpEvaluator(ctx, metadata.GenericHTTP, authConfig.Namespace) if err != nil { return nil, err } translatedMetadata.GenericHTTP = ev - case api.TypeUnknown: + case old.TypeUnknown: return nil, fmt.Errorf("unknown metadata type %v", metadata) } @@ -357,7 +364,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if authorization.Cache != nil { ttl := authorization.Cache.TTL if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + ttl = old.EvaluatorDefaultCacheTTL } translatedAuthorization.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&authorization.Cache.Key), @@ -367,7 +374,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf switch authorization.GetType() { // opa - case api.AuthorizationOPA: + case old.AuthorizationOPA: policyName := authConfig.GetNamespace() + "/" + authConfig.GetName() + "/" + authorization.Name opa := authorization.OPA externalRegistry := opa.ExternalRegistry @@ -398,12 +405,12 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // json - case api.AuthorizationJSONPatternMatching: + case old.AuthorizationJSONPatternMatching: translatedAuthorization.JSON = &authorization_evaluators.JSONPatternMatching{ Rules: buildJSONExpression(authConfig, authorization.JSON.Rules, jsonexp.All), } - case api.AuthorizationKubernetesAuthz: + case old.AuthorizationKubernetesAuthz: user := authorization.KubernetesAuthz.User authorinoUser := json.JSONValue{Static: user.Value, Pattern: user.ValueFrom.AuthJSON} @@ -426,7 +433,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf return nil, err } - case api.AuthorizationAuthzed: + case old.AuthorizationAuthzed: authzed := authorization.Authzed secret := &v1.Secret{} @@ -449,7 +456,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedAuthorization.Authzed = translatedAuthzed - case api.TypeUnknown: + case old.TypeUnknown: return nil, fmt.Errorf("unknown authorization type %v", authorization) } @@ -471,7 +478,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if response.Cache != nil { ttl := response.Cache.TTL if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + ttl = old.EvaluatorDefaultCacheTTL } translatedResponse.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&response.Cache.Key), @@ -481,7 +488,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf switch response.GetType() { // wristband - case api.ResponseWristband: + case old.ResponseWristband: wristband := response.Wristband signingKeys := make([]jose.JSONWebKey, 0) @@ -529,7 +536,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // dynamic json - case api.ResponseDynamicJSON: + case old.ResponseDynamicJSON: jsonProperties := make([]json.JSONProperty, 0) for _, property := range response.JSON.Properties { @@ -545,7 +552,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) // plain - case api.ResponsePlain: + case old.ResponsePlain: translatedResponse.Plain = &response_evaluators.Plain{ JSONValue: json.JSONValue{ Static: response.Plain.Value, @@ -553,7 +560,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf }, } - case api.TypeUnknown: + case old.TypeUnknown: return nil, fmt.Errorf("unknown response type %v", response) } @@ -572,14 +579,14 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf switch callback.GetType() { // http - case api.CallbackHTTP: + case old.CallbackHTTP: ev, err := r.buildGenericHttpEvaluator(ctx, callback.HTTP, authConfig.Namespace) if err != nil { return nil, err } translatedCallback.HTTP = ev - case api.TypeUnknown: + case old.TypeUnknown: return nil, fmt.Errorf("unknown callback type %v", callback) } @@ -646,7 +653,7 @@ func (r *AuthConfigReconciler) bootstrapIndex(ctx context.Context) error { return nil } - authConfigList := api.AuthConfigList{} + authConfigList := old.AuthConfigList{} listOptions := []client.ListOption{} if r.LabelSelector != nil { listOptions = append(listOptions, client.MatchingLabelsSelector{Selector: r.LabelSelector}) @@ -701,7 +708,7 @@ func (r *AuthConfigReconciler) ClusterWide() bool { func (r *AuthConfigReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&api.AuthConfig{}, builder.WithPredicates(LabelSelectorPredicate(r.LabelSelector))). + For(&old.AuthConfig{}, builder.WithPredicates(LabelSelectorPredicate(r.LabelSelector))). Complete(r) } @@ -712,7 +719,7 @@ func (r *AuthConfigReconciler) Ready(includes, _ []string, _ bool) error { for id, status := range r.StatusReport.ReadAll() { switch status.Reason { - case api.StatusReasonReconciled: + case old.StatusReasonReconciled: continue default: return fmt.Errorf("authconfig is not ready: %s (reason: %s)", id, status.Reason) @@ -721,7 +728,7 @@ func (r *AuthConfigReconciler) Ready(includes, _ []string, _ bool) error { return nil } -func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, http *api.Metadata_GenericHTTP, namespace string) (*metadata_evaluators.GenericHttp, error) { +func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, http *old.Metadata_GenericHTTP, namespace string) (*metadata_evaluators.GenericHttp, error) { var sharedSecret string if sharedSecretRef := http.SharedSecret; sharedSecretRef != nil { secret := &v1.Secret{} @@ -805,24 +812,24 @@ func findIdentityConfigByName(identityConfigs []evaluators.IdentityConfig, name return nil, fmt.Errorf("missing identity config %v", name) } -func buildJSONExpression(authConfig *api.AuthConfig, patterns []api.JSONPattern, op func(...jsonexp.Expression) jsonexp.Expression) jsonexp.Expression { +func buildJSONExpression(authConfig *api.AuthConfig, patterns []api.PatternExpressionOrRef, op func(...jsonexp.Expression) jsonexp.Expression) jsonexp.Expression { var expression []jsonexp.Expression for _, pattern := range patterns { // patterns or refs expression = append(expression, buildJSONExpressionPatterns(authConfig, pattern)...) // all if len(pattern.All) > 0 { - p := make([]api.JSONPattern, len(pattern.All)) + p := make([]api.PatternExpressionOrRef, len(pattern.All)) for i, ptn := range pattern.All { - p[i] = ptn.JSONPattern + p[i] = ptn.PatternExpressionOrRef } expression = append(expression, buildJSONExpression(authConfig, p, jsonexp.All)) } // any if len(pattern.Any) > 0 { - p := make([]api.JSONPattern, len(pattern.Any)) + p := make([]api.PatternExpressionOrRef, len(pattern.Any)) for i, ptn := range pattern.Any { - p[i] = ptn.JSONPattern + p[i] = ptn.PatternExpressionOrRef } expression = append(expression, buildJSONExpression(authConfig, p, jsonexp.Any)) } @@ -830,13 +837,12 @@ func buildJSONExpression(authConfig *api.AuthConfig, patterns []api.JSONPattern, return op(expression...) } -func buildJSONExpressionPatterns(authConfig *api.AuthConfig, pattern api.JSONPattern) []jsonexp.Expression { - expressionsToAdd := api.JSONPatternExpressions{} - - if expressionsByRef, found := authConfig.Spec.Patterns[pattern.JSONPatternName]; found { +func buildJSONExpressionPatterns(authConfig *api.AuthConfig, pattern api.PatternExpressionOrRef) []jsonexp.Expression { + expressionsToAdd := api.PatternExpressions{} + if expressionsByRef, found := authConfig.Spec.NamedPatterns[pattern.PatternRef.Name]; found { expressionsToAdd = append(expressionsToAdd, expressionsByRef...) - } else if pattern.JSONPatternExpression.Operator != "" { - expressionsToAdd = append(expressionsToAdd, pattern.JSONPatternExpression) + } else if pattern.PatternExpression.Operator != "" { + expressionsToAdd = append(expressionsToAdd, pattern.PatternExpression) } expressions := make([]jsonexp.Expression, len(expressionsToAdd)) @@ -846,7 +852,7 @@ func buildJSONExpressionPatterns(authConfig *api.AuthConfig, pattern api.JSONPat return expressions } -func buildJSONExpressionPattern(expression api.JSONPatternExpression) jsonexp.Expression { +func buildJSONExpressionPattern(expression api.PatternExpression) jsonexp.Expression { return jsonexp.Pattern{ Selector: expression.Selector, Operator: jsonexp.OperatorFromString(string(expression.Operator)), @@ -854,7 +860,7 @@ func buildJSONExpressionPattern(expression api.JSONPatternExpression) jsonexp.Ex } } -func buildAuthorinoDenyWithValues(denyWithSpec *api.DenyWithSpec) *evaluators.DenyWithValues { +func buildAuthorinoDenyWithValues(denyWithSpec *old.DenyWithSpec) *evaluators.DenyWithValues { if denyWithSpec == nil { return nil } @@ -872,18 +878,18 @@ func buildAuthorinoDenyWithValues(denyWithSpec *api.DenyWithSpec) *evaluators.De } } -func getJsonFromStaticDynamic(value *api.StaticOrDynamicValue) *json.JSONValue { +func getJsonFromStaticDynamic(value *api.ValueOrSelector) *json.JSONValue { if value == nil { return nil } return &json.JSONValue{ Static: value.Value, - Pattern: value.ValueFrom.AuthJSON, + Pattern: value.Selector, } } -func authzedObjectToJsonValues(obj *api.AuthzedObject) (name json.JSONValue, kind json.JSONValue) { +func authzedObjectToJsonValues(obj *old.AuthzedObject) (name json.JSONValue, kind json.JSONValue) { if obj == nil { return } diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go index e1ac0b46..392ab37a 100644 --- a/controllers/auth_config_controller_test.go +++ b/controllers/auth_config_controller_test.go @@ -6,7 +6,8 @@ import ( "os" "testing" - api "github.com/kuadrant/authorino/api/v1beta1" + old "github.com/kuadrant/authorino/api/v1beta1" + api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/evaluators" "github.com/kuadrant/authorino/pkg/httptest" "github.com/kuadrant/authorino/pkg/index" @@ -40,56 +41,46 @@ func TestMain(m *testing.M) { } func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { - return api.AuthConfig{ - TypeMeta: metav1.TypeMeta{ - Kind: "AuthConfig", - APIVersion: "authorino.kuadrant.io/v1beta1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "auth-config-1", - Namespace: "authorino", - Labels: authConfigLabels, - }, - Spec: api.AuthConfigSpec{ - Hosts: []string{"echo-api"}, - Identity: []*api.Identity{ - { - Name: "keycloak", - Oidc: &api.Identity_OidcConfig{ - Endpoint: "http://127.0.0.1:9001/auth/realms/demo", - }, - ExtendedProperties: []api.ExtendedProperty{ - { - JsonProperty: api.JsonProperty{ - Name: "source", - Value: runtime.RawExtension{Raw: []byte(`"test"`)}, - }, + spec := old.AuthConfigSpec{ + Hosts: []string{"echo-api"}, + Identity: []*old.Identity{ + { + Name: "keycloak", + Oidc: &old.Identity_OidcConfig{ + Endpoint: "http://127.0.0.1:9001/auth/realms/demo", + }, + ExtendedProperties: []old.ExtendedProperty{ + { + JsonProperty: old.JsonProperty{ + Name: "source", + Value: runtime.RawExtension{Raw: []byte(`"test"`)}, }, }, }, }, - Metadata: []*api.Metadata{ - { - Name: "userinfo", - UserInfo: &api.Metadata_UserInfo{ - IdentitySource: "keycloak", - }, + }, + Metadata: []*old.Metadata{ + { + Name: "userinfo", + UserInfo: &old.Metadata_UserInfo{ + IdentitySource: "keycloak", }, - { - Name: "resource-data", - UMA: &api.Metadata_UMA{ - Endpoint: "http://127.0.0.1:9001/auth/realms/demo", - Credentials: &v1.LocalObjectReference{ - Name: "secret", - }, + }, + { + Name: "resource-data", + UMA: &old.Metadata_UMA{ + Endpoint: "http://127.0.0.1:9001/auth/realms/demo", + Credentials: &v1.LocalObjectReference{ + Name: "secret", }, }, }, - Authorization: []*api.Authorization{ - { - Name: "main-policy", - OPA: &api.Authorization_OPA{ - InlineRego: ` + }, + Authorization: []*old.Authorization{ + { + Name: "main-policy", + OPA: &old.Authorization_OPA{ + InlineRego: ` method = object.get(input.context.request.http, "method", "") path = object.get(input.context.request.http, "path", "") @@ -97,18 +88,17 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { method == "GET" path = "/allow" }`, - }, }, - { - Name: "some-extra-rules", - JSON: &api.Authorization_JSONPatternMatching{ - Rules: []api.JSONPattern{ - { - JSONPatternExpression: api.JSONPatternExpression{ - Selector: "context.identity.role", - Operator: "eq", - Value: "admin", - }, + }, + { + Name: "some-extra-rules", + JSON: &old.Authorization_JSONPatternMatching{ + Rules: []old.JSONPattern{ + { + JSONPatternExpression: old.JSONPatternExpression{ + Selector: "context.identity.role", + Operator: "eq", + Value: "admin", }, }, }, @@ -116,6 +106,27 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { }, }, } + return api.AuthConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "AuthConfig", + APIVersion: "authorino.kuadrant.io/v1beta1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "auth-config-1", + Namespace: "authorino", + Labels: authConfigLabels, + }, + Spec: api.AuthConfigSpec{ + Hosts: []string{"echo-api"}, + NamedPatterns: nil, + Conditions: nil, + Authentication: nil, + Metadata: nil, + Authorization: nil, + Response: nil, + Callbacks: nil, + }, + } } func newTestOAuthClientSecret() v1.Secret { @@ -387,26 +398,26 @@ func TestBootstrapIndex(t *testing.T) { indexMock := mock_index.NewMockIndex(mockController) authConfig := newTestAuthConfig(map[string]string{"scope": "in"}) - authConfig.Status.Summary = api.Summary{ + authConfig.Status.Summary = api.AuthConfigStatusSummary{ Ready: true, HostsReady: authConfig.Spec.Hosts, NumHostsReady: fmt.Sprintf("%d/%d", len(authConfig.Spec.Hosts), len(authConfig.Spec.Hosts)), - NumIdentitySources: int64(len(authConfig.Spec.Identity)), + NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response)), + NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), FestivalWristbandEnabled: false, } authConfigOutOfScope := newTestAuthConfig(map[string]string{"scope": "out"}) - authConfigOutOfScope.Status.Summary = api.Summary{ + authConfigOutOfScope.Status.Summary = api.AuthConfigStatusSummary{ Ready: true, HostsReady: authConfig.Spec.Hosts, NumHostsReady: fmt.Sprintf("%d/%d", len(authConfig.Spec.Hosts), len(authConfig.Spec.Hosts)), - NumIdentitySources: int64(len(authConfig.Spec.Identity)), + NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response)), + NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), FestivalWristbandEnabled: false, } diff --git a/controllers/auth_config_status_updater_test.go b/controllers/auth_config_status_updater_test.go index 01125609..c35eecea 100644 --- a/controllers/auth_config_status_updater_test.go +++ b/controllers/auth_config_status_updater_test.go @@ -4,7 +4,7 @@ import ( "context" "testing" - api "github.com/kuadrant/authorino/api/v1beta1" + api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/log" "github.com/golang/mock/gomock" @@ -176,7 +176,7 @@ func mockStatusUpdateAuthConfigWithLabelsAndHosts(labels map[string]string, host return api.AuthConfig{ TypeMeta: metav1.TypeMeta{ Kind: "AuthConfig", - APIVersion: "authorino.kuadrant.io/v1beta1", + APIVersion: "authorino.kuadrant.io/v1beta2", }, ObjectMeta: metav1.ObjectMeta{ Name: "auth-config-1", From a2dc46488166b16674b30aed5e79e412c8f7b03a Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:15:20 -0400 Subject: [PATCH 18/31] wip: done with eof utility functions Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 10b04ae0..cab17724 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -451,8 +451,8 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf SharedSecret: sharedSecret, Permission: *getJsonFromStaticDynamic(&authzed.Permission), } - translatedAuthzed.Subject, translatedAuthzed.SubjectKind = authzedObjectToJsonValues(authzed.Subject) - translatedAuthzed.Resource, translatedAuthzed.ResourceKind = authzedObjectToJsonValues(authzed.Resource) + translatedAuthzed.Subject, translatedAuthzed.SubjectKind = spiceDBObjectToJsonValues(authzed.Subject) + translatedAuthzed.Resource, translatedAuthzed.ResourceKind = spiceDBObjectToJsonValues(authzed.Resource) translatedAuthorization.Authzed = translatedAuthzed @@ -860,14 +860,14 @@ func buildJSONExpressionPattern(expression api.PatternExpression) jsonexp.Expres } } -func buildAuthorinoDenyWithValues(denyWithSpec *old.DenyWithSpec) *evaluators.DenyWithValues { +func buildAuthorinoDenyWithValues(denyWithSpec *api.DenyWithSpec) *evaluators.DenyWithValues { if denyWithSpec == nil { return nil } headers := make([]json.JSONProperty, 0, len(denyWithSpec.Headers)) - for _, header := range denyWithSpec.Headers { - headers = append(headers, json.JSONProperty{Name: header.Name, Value: json.JSONValue{Static: header.Value, Pattern: header.ValueFrom.AuthJSON}}) + for name, header := range denyWithSpec.Headers { + headers = append(headers, json.JSONProperty{Name: name, Value: json.JSONValue{Static: header.Value, Pattern: header.Selector}}) } return &evaluators.DenyWithValues{ @@ -889,7 +889,7 @@ func getJsonFromStaticDynamic(value *api.ValueOrSelector) *json.JSONValue { } } -func authzedObjectToJsonValues(obj *old.AuthzedObject) (name json.JSONValue, kind json.JSONValue) { +func spiceDBObjectToJsonValues(obj *api.SpiceDBObject) (name json.JSONValue, kind json.JSONValue) { if obj == nil { return } From 4dd6f3d5065cd464810d0f56c0b5d00b553478bc Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:25:34 -0400 Subject: [PATCH 19/31] wip: done with AuthCredentials Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 55 ++++++++++++++++++--------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index cab17724..e6e1b87e 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -210,7 +210,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) } - authCred := auth.NewAuthCredential(identity.Credentials.KeySelector, string(identity.Credentials.In)) + authCred := newAuthCredential(identity.Credentials) switch identity.GetType() { // oauth2 @@ -394,7 +394,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf externalSource := &authorization_evaluators.OPAExternalSource{ Endpoint: externalRegistry.Endpoint, SharedSecret: sharedSecret, - AuthCredentials: auth.NewAuthCredential(externalRegistry.Credentials.KeySelector, string(externalRegistry.Credentials.In)), + AuthCredentials: newAuthCredential(externalRegistry.Credentials), TTL: externalRegistry.TTL, } @@ -569,24 +569,24 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedCallbackConfigs := make([]auth.AuthConfigEvaluator, 0) - for _, callback := range authConfig.Spec.Callbacks { + for name, callback := range authConfig.Spec.Callbacks { translatedCallback := &evaluators.CallbackConfig{ - Name: callback.Name, + Name: name, Priority: callback.Priority, Conditions: buildJSONExpression(authConfig, callback.Conditions, jsonexp.All), Metrics: callback.Metrics, } - switch callback.GetType() { + switch callback.GetMethod() { // http - case old.CallbackHTTP: - ev, err := r.buildGenericHttpEvaluator(ctx, callback.HTTP, authConfig.Namespace) + case api.HttpCallback: + ev, err := r.buildGenericHttpEvaluator(ctx, callback.Http, authConfig.Namespace) if err != nil { return nil, err } translatedCallback.HTTP = ev - case old.TypeUnknown: + case api.UnknownCallbackMethod: return nil, fmt.Errorf("unknown callback type %v", callback) } @@ -728,7 +728,7 @@ func (r *AuthConfigReconciler) Ready(includes, _ []string, _ bool) error { return nil } -func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, http *old.Metadata_GenericHTTP, namespace string) (*metadata_evaluators.GenericHttp, error) { +func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, http *api.HttpEndpointSpec, namespace string) (*metadata_evaluators.GenericHttp, error) { var sharedSecret string if sharedSecretRef := http.SharedSecret; sharedSecretRef != nil { secret := &v1.Secret{} @@ -754,27 +754,27 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht var body *json.JSONValue if b := http.Body; b != nil { - body = &json.JSONValue{Static: b.Value, Pattern: b.ValueFrom.AuthJSON} + body = &json.JSONValue{Static: b.Value, Pattern: b.Selector} } params := make([]json.JSONProperty, 0, len(http.Parameters)) - for _, param := range http.Parameters { + for name, param := range http.Parameters { params = append(params, json.JSONProperty{ - Name: param.Name, + Name: name, Value: json.JSONValue{ Static: param.Value, - Pattern: param.ValueFrom.AuthJSON, + Pattern: param.Selector, }, }) } headers := make([]json.JSONProperty, 0, len(http.Headers)) - for _, header := range http.Headers { + for name, header := range http.Headers { headers = append(headers, json.JSONProperty{ - Name: header.Name, + Name: name, Value: json.JSONValue{ Static: header.Value, - Pattern: header.ValueFrom.AuthJSON, + Pattern: header.Selector, }, }) } @@ -785,7 +785,7 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht } ev := &metadata_evaluators.GenericHttp{ - Endpoint: http.Endpoint, + Endpoint: http.Url, Method: method, Body: body, Parameters: params, @@ -797,12 +797,31 @@ func (r *AuthConfigReconciler) buildGenericHttpEvaluator(ctx context.Context, ht } if sharedSecret != "" || oauth2ClientCredentialsConfig != nil { - ev.AuthCredentials = auth.NewAuthCredential(http.Credentials.KeySelector, string(http.Credentials.In)) + ev.AuthCredentials = newAuthCredential(http.Credentials) } return ev, nil } +func newAuthCredential(creds api.Credentials) *auth.AuthCredential { + var in, key string + switch creds.GetType() { + case api.AuthorizationHeaderCredentials: + in = "authorization_header" + key = creds.AuthorizationHeader.Prefix + case api.CustomHeaderCredentials: + in = "custom_header" + key = creds.CustomHeader.Name + case api.QueryStringCredentials: + in = "query" + key = creds.QueryString.Name + case api.CookieCredentials: + in = "cookie" + key = creds.Cookie.Name + } + return auth.NewAuthCredential(key, in) +} + func findIdentityConfigByName(identityConfigs []evaluators.IdentityConfig, name string) (*evaluators.IdentityConfig, error) { for _, id := range identityConfigs { if id.Name == name { From 5d5e7740e465213a74106a7ae06a77d0f9c7b36f Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:31:55 -0400 Subject: [PATCH 20/31] wip: done with Identities Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 44 +++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index e6e1b87e..9a8f411a 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -212,10 +212,10 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf authCred := newAuthCredential(identity.Credentials) - switch identity.GetType() { + switch identity.GetMethod() { // oauth2 - case old.IdentityOAuth2: - oauth2Identity := identity.OAuth2 + case api.OAuth2TokenIntrospectionAuthentication: + oauth2Identity := identity.OAuth2TokenIntrospection secret := &v1.Secret{} if err := r.Client.Get(ctx, types.NamespacedName{ @@ -226,7 +226,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } translatedIdentity.OAuth2 = identity_evaluators.NewOAuth2Identity( - oauth2Identity.TokenIntrospectionUrl, + oauth2Identity.Url, oauth2Identity.TokenTypeHint, string(secret.Data["clientID"]), string(secret.Data["clientSecret"]), @@ -234,48 +234,48 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) // oidc - case old.IdentityOidc: - translatedIdentity.OIDC = identity_evaluators.NewOIDC(identity.Oidc.Endpoint, authCred, identity.Oidc.TTL, ctxWithLogger) + case api.JwtAuthentication: + translatedIdentity.OIDC = identity_evaluators.NewOIDC(identity.Jwt.IssuerUrl, authCred, identity.Jwt.TTL, ctxWithLogger) // apiKey - case old.IdentityApiKey: + case api.ApiKeyAuthentication: namespace := authConfig.Namespace - if identity.APIKey.AllNamespaces && r.ClusterWide() { + if identity.ApiKey.AllNamespaces && r.ClusterWide() { namespace = "" } - selector, err := metav1.LabelSelectorAsSelector(identity.APIKey.Selector) + selector, err := metav1.LabelSelectorAsSelector(identity.ApiKey.Selector) if err != nil { return nil, err } - translatedIdentity.APIKey = identity_evaluators.NewApiKeyIdentity(identity.Name, selector, namespace, authCred, r.Client, ctxWithLogger) + translatedIdentity.APIKey = identity_evaluators.NewApiKeyIdentity(identityCfgName, selector, namespace, authCred, r.Client, ctxWithLogger) // MTLS - case old.IdentityMTLS: + case api.X509ClientCertificateAuthentication: namespace := authConfig.Namespace - if identity.MTLS.AllNamespaces && r.ClusterWide() { + if identity.X509ClientCertificate.AllNamespaces && r.ClusterWide() { namespace = "" } - selector, err := metav1.LabelSelectorAsSelector(identity.MTLS.Selector) + selector, err := metav1.LabelSelectorAsSelector(identity.X509ClientCertificate.Selector) if err != nil { return nil, err } - translatedIdentity.MTLS = identity_evaluators.NewMTLSIdentity(identity.Name, selector, namespace, r.Client, ctxWithLogger) + translatedIdentity.MTLS = identity_evaluators.NewMTLSIdentity(identityCfgName, selector, namespace, r.Client, ctxWithLogger) // kubernetes auth - case old.IdentityKubernetesAuth: - if k8sAuthConfig, err := identity_evaluators.NewKubernetesAuthIdentity(authCred, identity.KubernetesAuth.Audiences); err != nil { + case api.KubernetesTokenReviewAuthentication: + if k8sAuthConfig, err := identity_evaluators.NewKubernetesAuthIdentity(authCred, identity.KubernetesTokenReview.Audiences); err != nil { return nil, err } else { translatedIdentity.KubernetesAuth = k8sAuthConfig } - case old.IdentityPlain: - translatedIdentity.Plain = &identity_evaluators.Plain{Pattern: identity.Plain.AuthJSON} + case api.PlainIdentityAuthentication: + translatedIdentity.Plain = &identity_evaluators.Plain{Pattern: identity.Plain.Selector} - case old.IdentityAnonymous: + case api.AnonymousAccessAuthentication: translatedIdentity.Noop = &identity_evaluators.Noop{AuthCredentials: authCred} - case old.TypeUnknown: + case api.UnknownAuthenticationMethod: return nil, fmt.Errorf("unknown identity type %v", identity) } @@ -285,9 +285,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedMetadataConfigs := make([]auth.AuthConfigEvaluator, 0) - for _, metadata := range authConfig.Spec.Metadata { + for name, metadata := range authConfig.Spec.Metadata { translatedMetadata := &evaluators.MetadataConfig{ - Name: metadata.Name, + Name: name, Priority: metadata.Priority, Conditions: buildJSONExpression(authConfig, metadata.Conditions, jsonexp.All), Metrics: metadata.Metrics, From 30285900d102623a7c2508f6f7adf3951266fbcf Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:33:06 -0400 Subject: [PATCH 21/31] wip: done with Metadata Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 9a8f411a..9e8ddf92 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -304,19 +304,19 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) } - switch metadata.GetType() { + switch metadata.GetMethod() { // uma - case old.MetadataUma: + case api.UmaResourceMetadata: secret := &v1.Secret{} if err := r.Client.Get(ctx, types.NamespacedName{ Namespace: authConfig.Namespace, - Name: metadata.UMA.Credentials.Name}, + Name: metadata.Uma.Credentials.Name}, secret); err != nil { return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. } if uma, err := metadata_evaluators.NewUMAMetadata( - metadata.UMA.Endpoint, + metadata.Uma.Endpoint, string(secret.Data["clientID"]), string(secret.Data["clientSecret"]), ); err != nil { @@ -326,7 +326,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // user_info - case old.MetadataUserinfo: + case api.UserInfoMetadata: translatedMetadata.UserInfo = &metadata_evaluators.UserInfo{} if idConfig, err := findIdentityConfigByName(identityConfigs, metadata.UserInfo.IdentitySource); err != nil { @@ -336,14 +336,14 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // generic http - case old.MetadataGenericHTTP: - ev, err := r.buildGenericHttpEvaluator(ctx, metadata.GenericHTTP, authConfig.Namespace) + case api.HttpMetadata: + ev, err := r.buildGenericHttpEvaluator(ctx, metadata.Http, authConfig.Namespace) if err != nil { return nil, err } translatedMetadata.GenericHTTP = ev - case old.TypeUnknown: + case api.UnknownMetadataMethod: return nil, fmt.Errorf("unknown metadata type %v", metadata) } From 4e0b30a206fad406d4a938e64b59951da541348b Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:46:08 -0400 Subject: [PATCH 22/31] wip: done with Authorization Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 52 ++++++++++++++------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 9e8ddf92..0f16465e 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -353,9 +353,10 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedAuthorizationConfigs := make([]auth.AuthConfigEvaluator, 0) ctxWithLogger = log.IntoContext(ctx, log.FromContext(ctx).WithName("authorization")) - for index, authorization := range authConfig.Spec.Authorization { + authzIndex := 0 + for authzName, authorization := range authConfig.Spec.Authorization { translatedAuthorization := &evaluators.AuthorizationConfig{ - Name: authorization.Name, + Name: authzName, Priority: authorization.Priority, Conditions: buildJSONExpression(authConfig, authorization.Conditions, jsonexp.All), Metrics: authorization.Metrics, @@ -372,12 +373,12 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) } - switch authorization.GetType() { + switch authorization.GetMethod() { // opa - case old.AuthorizationOPA: - policyName := authConfig.GetNamespace() + "/" + authConfig.GetName() + "/" + authorization.Name - opa := authorization.OPA - externalRegistry := opa.ExternalRegistry + case api.OpaAuthorization: + policyName := authConfig.GetNamespace() + "/" + authConfig.GetName() + "/" + authzName + opa := authorization.Opa + externalRegistry := opa.External secret := &v1.Secret{} var sharedSecret string @@ -392,49 +393,49 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } externalSource := &authorization_evaluators.OPAExternalSource{ - Endpoint: externalRegistry.Endpoint, + Endpoint: externalRegistry.Url, SharedSecret: sharedSecret, AuthCredentials: newAuthCredential(externalRegistry.Credentials), TTL: externalRegistry.TTL, } var err error - translatedAuthorization.OPA, err = authorization_evaluators.NewOPAAuthorization(policyName, opa.InlineRego, externalSource, opa.AllValues, index, ctxWithLogger) + translatedAuthorization.OPA, err = authorization_evaluators.NewOPAAuthorization(policyName, opa.Rego, externalSource, opa.AllValues, authzIndex, ctxWithLogger) if err != nil { return nil, err } // json - case old.AuthorizationJSONPatternMatching: + case api.PatternMatchingAuthorization: translatedAuthorization.JSON = &authorization_evaluators.JSONPatternMatching{ - Rules: buildJSONExpression(authConfig, authorization.JSON.Rules, jsonexp.All), + Rules: buildJSONExpression(authConfig, authorization.PatternMatching.Patterns, jsonexp.All), } - case old.AuthorizationKubernetesAuthz: - user := authorization.KubernetesAuthz.User - authorinoUser := json.JSONValue{Static: user.Value, Pattern: user.ValueFrom.AuthJSON} + case api.KubernetesSubjectAccessReviewAuthorization: + user := authorization.KubernetesSubjectAccessReview.User + authorinoUser := json.JSONValue{Static: user.Value, Pattern: user.Selector} var authorinoResourceAttributes *authorization_evaluators.KubernetesAuthzResourceAttributes - resourceAttributes := authorization.KubernetesAuthz.ResourceAttributes + resourceAttributes := authorization.KubernetesSubjectAccessReview.ResourceAttributes if resourceAttributes != nil { authorinoResourceAttributes = &authorization_evaluators.KubernetesAuthzResourceAttributes{ - Namespace: json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.ValueFrom.AuthJSON}, - Group: json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.ValueFrom.AuthJSON}, - Resource: json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.ValueFrom.AuthJSON}, - Name: json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.ValueFrom.AuthJSON}, - SubResource: json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.ValueFrom.AuthJSON}, - Verb: json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.ValueFrom.AuthJSON}, + Namespace: json.JSONValue{Static: resourceAttributes.Namespace.Value, Pattern: resourceAttributes.Namespace.Selector}, + Group: json.JSONValue{Static: resourceAttributes.Group.Value, Pattern: resourceAttributes.Group.Selector}, + Resource: json.JSONValue{Static: resourceAttributes.Resource.Value, Pattern: resourceAttributes.Resource.Selector}, + Name: json.JSONValue{Static: resourceAttributes.Name.Value, Pattern: resourceAttributes.Name.Selector}, + SubResource: json.JSONValue{Static: resourceAttributes.SubResource.Value, Pattern: resourceAttributes.SubResource.Selector}, + Verb: json.JSONValue{Static: resourceAttributes.Verb.Value, Pattern: resourceAttributes.Verb.Selector}, } } var err error - translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(authorinoUser, authorization.KubernetesAuthz.Groups, authorinoResourceAttributes) + translatedAuthorization.KubernetesAuthz, err = authorization_evaluators.NewKubernetesAuthz(authorinoUser, authorization.KubernetesSubjectAccessReview.Groups, authorinoResourceAttributes) if err != nil { return nil, err } - case old.AuthorizationAuthzed: - authzed := authorization.Authzed + case api.SpiceDBAuthorization: + authzed := authorization.SpiceDB secret := &v1.Secret{} var sharedSecret string @@ -456,11 +457,12 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedAuthorization.Authzed = translatedAuthzed - case old.TypeUnknown: + case api.UnknownAuthorizationMethod: return nil, fmt.Errorf("unknown authorization type %v", authorization) } interfacedAuthorizationConfigs = append(interfacedAuthorizationConfigs, translatedAuthorization) + authzIndex++ } interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0) From 4f9efb3eeae66c85b55ce63849d8aa0d5ec5891b Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 09:51:21 -0400 Subject: [PATCH 23/31] wip: done with deniesWith Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 0f16465e..36a914c6 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -571,9 +571,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedCallbackConfigs := make([]auth.AuthConfigEvaluator, 0) - for name, callback := range authConfig.Spec.Callbacks { + for callbackName, callback := range authConfig.Spec.Callbacks { translatedCallback := &evaluators.CallbackConfig{ - Name: name, + Name: callbackName, Priority: callback.Priority, Conditions: buildJSONExpression(authConfig, callback.Conditions, jsonexp.All), Metrics: callback.Metrics, @@ -606,9 +606,11 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // denyWith - if denyWith := authConfig.Spec.DenyWith; denyWith != nil { - translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith.Unauthenticated) - translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith.Unauthorized) + if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil { + translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith) + } + if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil { + translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith) } return translatedAuthConfig, nil From c243383139fe753313dda2d502a511f2e5b908a1 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:01:25 -0400 Subject: [PATCH 24/31] wip: done with response Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 55 +++++++++++++++++++-------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 36a914c6..1acfe1d5 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -467,13 +467,36 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0) - for _, response := range authConfig.Spec.Response { + for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers { translatedResponse := evaluators.NewResponseConfig( - response.Name, + responseName, + headerResponse.Priority, + buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All), + "httpHeader", + headerResponse.Key, + headerResponse.Metrics, + ) + + if headerResponse.Cache != nil { + ttl := headerResponse.Cache.TTL + if ttl == 0 { + ttl = old.EvaluatorDefaultCacheTTL + } + translatedResponse.Cache = evaluators.NewEvaluatorCache( + *getJsonFromStaticDynamic(&headerResponse.Cache.Key), + ttl, + ) + } + interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) + } + + for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata { + translatedResponse := evaluators.NewResponseConfig( + responseName, response.Priority, buildJSONExpression(authConfig, response.Conditions, jsonexp.All), - string(response.Wrapper), - response.WrapperKey, + "envoyDynamicMetadata", + response.Key, response.Metrics, ) @@ -488,9 +511,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf ) } - switch response.GetType() { + switch response.GetMethod() { // wristband - case old.ResponseWristband: + case api.WristbandAuthResponse: wristband := response.Wristband signingKeys := make([]jose.JSONWebKey, 0) @@ -516,12 +539,12 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } customClaims := make([]json.JSONProperty, 0) - for _, claim := range wristband.CustomClaims { + for claimName, claim := range wristband.CustomClaims { customClaims = append(customClaims, json.JSONProperty{ - Name: claim.Name, + Name: claimName, Value: json.JSONValue{ Static: claim.Value, - Pattern: claim.ValueFrom.AuthJSON, + Pattern: claim.Selector, }, }) } @@ -538,15 +561,15 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // dynamic json - case old.ResponseDynamicJSON: + case api.JsonAuthResponse: jsonProperties := make([]json.JSONProperty, 0) - for _, property := range response.JSON.Properties { + for propertyName, property := range response.Json.Properties { jsonProperties = append(jsonProperties, json.JSONProperty{ - Name: property.Name, + Name: propertyName, Value: json.JSONValue{ Static: property.Value, - Pattern: property.ValueFrom.AuthJSON, + Pattern: property.Selector, }, }) } @@ -554,15 +577,15 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) // plain - case old.ResponsePlain: + case api.PlainAuthResponse: translatedResponse.Plain = &response_evaluators.Plain{ JSONValue: json.JSONValue{ Static: response.Plain.Value, - Pattern: response.Plain.ValueFrom.AuthJSON, + Pattern: response.Plain.Selector, }, } - case old.TypeUnknown: + case api.UnknownAuthResponseMethod: return nil, fmt.Errorf("unknown response type %v", response) } From 920b7560aa2fefcf78d2ba86036253e01d1025bb Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:05:33 -0400 Subject: [PATCH 25/31] wip: done with 'old' api Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 1acfe1d5..a4bde94b 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -22,7 +22,6 @@ import ( "sort" "sync" - old "github.com/kuadrant/authorino/api/v1beta1" api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/auth" "github.com/kuadrant/authorino/pkg/evaluators" @@ -202,7 +201,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if identity.Cache != nil { ttl := identity.Cache.TTL if ttl == 0 { - ttl = old.EvaluatorDefaultCacheTTL + ttl = api.EvaluatorDefaultCacheTTL } translatedIdentity.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&identity.Cache.Key), @@ -296,7 +295,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if metadata.Cache != nil { ttl := metadata.Cache.TTL if ttl == 0 { - ttl = old.EvaluatorDefaultCacheTTL + ttl = api.EvaluatorDefaultCacheTTL } translatedMetadata.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&metadata.Cache.Key), @@ -365,7 +364,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if authorization.Cache != nil { ttl := authorization.Cache.TTL if ttl == 0 { - ttl = old.EvaluatorDefaultCacheTTL + ttl = api.EvaluatorDefaultCacheTTL } translatedAuthorization.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&authorization.Cache.Key), @@ -480,7 +479,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if headerResponse.Cache != nil { ttl := headerResponse.Cache.TTL if ttl == 0 { - ttl = old.EvaluatorDefaultCacheTTL + ttl = api.EvaluatorDefaultCacheTTL } translatedResponse.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&headerResponse.Cache.Key), @@ -503,7 +502,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf if response.Cache != nil { ttl := response.Cache.TTL if ttl == 0 { - ttl = old.EvaluatorDefaultCacheTTL + ttl = api.EvaluatorDefaultCacheTTL } translatedResponse.Cache = evaluators.NewEvaluatorCache( *getJsonFromStaticDynamic(&response.Cache.Key), @@ -680,7 +679,7 @@ func (r *AuthConfigReconciler) bootstrapIndex(ctx context.Context) error { return nil } - authConfigList := old.AuthConfigList{} + authConfigList := api.AuthConfigList{} listOptions := []client.ListOption{} if r.LabelSelector != nil { listOptions = append(listOptions, client.MatchingLabelsSelector{Selector: r.LabelSelector}) @@ -735,7 +734,7 @@ func (r *AuthConfigReconciler) ClusterWide() bool { func (r *AuthConfigReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). - For(&old.AuthConfig{}, builder.WithPredicates(LabelSelectorPredicate(r.LabelSelector))). + For(&api.AuthConfig{}, builder.WithPredicates(LabelSelectorPredicate(r.LabelSelector))). Complete(r) } @@ -746,7 +745,7 @@ func (r *AuthConfigReconciler) Ready(includes, _ []string, _ bool) error { for id, status := range r.StatusReport.ReadAll() { switch status.Reason { - case old.StatusReasonReconciled: + case api.StatusReasonReconciled: continue default: return fmt.Errorf("authconfig is not ready: %s (reason: %s)", id, status.Reason) From 965ea4b9a35725c45abde2b545b29773bc56e82e Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:30:56 -0400 Subject: [PATCH 26/31] wip: done with tests Signed-off-by: Alex Snaps --- controllers/auth_config_controller_test.go | 90 ++++++++++------------ controllers/auth_config_status_updater.go | 22 +++--- 2 files changed, 52 insertions(+), 60 deletions(-) diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go index 392ab37a..f286364f 100644 --- a/controllers/auth_config_controller_test.go +++ b/controllers/auth_config_controller_test.go @@ -6,7 +6,6 @@ import ( "os" "testing" - old "github.com/kuadrant/authorino/api/v1beta1" api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/evaluators" "github.com/kuadrant/authorino/pkg/httptest" @@ -41,46 +40,46 @@ func TestMain(m *testing.M) { } func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { - spec := old.AuthConfigSpec{ + spec := api.AuthConfigSpec{ Hosts: []string{"echo-api"}, - Identity: []*old.Identity{ - { - Name: "keycloak", - Oidc: &old.Identity_OidcConfig{ - Endpoint: "http://127.0.0.1:9001/auth/realms/demo", + Authentication: map[string]api.AuthenticationSpec{ + "keycloak": { + AuthenticationMethodSpec: api.AuthenticationMethodSpec{ + Jwt: &api.JwtAuthenticationSpec{ + IssuerUrl: "http://127.0.0.1:9001/auth/realms/demo", + }, }, - ExtendedProperties: []old.ExtendedProperty{ - { - JsonProperty: old.JsonProperty{ - Name: "source", - Value: runtime.RawExtension{Raw: []byte(`"test"`)}, - }, + Defaults: map[string]api.ValueOrSelector{ + "source": { + Value: runtime.RawExtension{Raw: []byte(`"test"`)}, }, }, }, }, - Metadata: []*old.Metadata{ - { - Name: "userinfo", - UserInfo: &old.Metadata_UserInfo{ - IdentitySource: "keycloak", + Metadata: map[string]api.MetadataSpec{ + "userinfo": { + MetadataMethodSpec: api.MetadataMethodSpec{ + UserInfo: &api.UserInfoMetadataSpec{ + IdentitySource: "keycloak", + }, }, }, - { - Name: "resource-data", - UMA: &old.Metadata_UMA{ - Endpoint: "http://127.0.0.1:9001/auth/realms/demo", - Credentials: &v1.LocalObjectReference{ - Name: "secret", + "resource-data": { + MetadataMethodSpec: api.MetadataMethodSpec{ + Uma: &api.UmaMetadataSpec{ + Endpoint: "http://127.0.0.1:9001/auth/realms/demo", + Credentials: &v1.LocalObjectReference{ + Name: "secret", + }, }, }, }, }, - Authorization: []*old.Authorization{ - { - Name: "main-policy", - OPA: &old.Authorization_OPA{ - InlineRego: ` + Authorization: map[string]api.AuthorizationSpec{ + "main-policy": { + AuthorizationMethodSpec: api.AuthorizationMethodSpec{ + Opa: &api.OpaAuthorizationSpec{ + Rego: ` method = object.get(input.context.request.http, "method", "") path = object.get(input.context.request.http, "path", "") @@ -88,17 +87,19 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { method == "GET" path = "/allow" }`, + }, }, }, - { - Name: "some-extra-rules", - JSON: &old.Authorization_JSONPatternMatching{ - Rules: []old.JSONPattern{ - { - JSONPatternExpression: old.JSONPatternExpression{ - Selector: "context.identity.role", - Operator: "eq", - Value: "admin", + "some-extra-rules": { + AuthorizationMethodSpec: api.AuthorizationMethodSpec{ + PatternMatching: &api.PatternMatchingAuthorizationSpec{ + Patterns: []api.PatternExpressionOrRef{ + { + PatternExpression: api.PatternExpression{ + Selector: "context.identity.role", + Operator: "eq", + Value: "admin", + }, }, }, }, @@ -109,23 +110,14 @@ func newTestAuthConfig(authConfigLabels map[string]string) api.AuthConfig { return api.AuthConfig{ TypeMeta: metav1.TypeMeta{ Kind: "AuthConfig", - APIVersion: "authorino.kuadrant.io/v1beta1", + APIVersion: "authorino.kuadrant.io/v1beta2", }, ObjectMeta: metav1.ObjectMeta{ Name: "auth-config-1", Namespace: "authorino", Labels: authConfigLabels, }, - Spec: api.AuthConfigSpec{ - Hosts: []string{"echo-api"}, - NamedPatterns: nil, - Conditions: nil, - Authentication: nil, - Metadata: nil, - Authorization: nil, - Response: nil, - Callbacks: nil, - }, + Spec: spec, } } diff --git a/controllers/auth_config_status_updater.go b/controllers/auth_config_status_updater.go index 8fc68d84..2804d3c7 100644 --- a/controllers/auth_config_status_updater.go +++ b/controllers/auth_config_status_updater.go @@ -6,7 +6,7 @@ import ( "sort" "strings" - api "github.com/kuadrant/authorino/api/v1beta1" + api "github.com/kuadrant/authorino/api/v1beta2" "github.com/kuadrant/authorino/pkg/log" "github.com/kuadrant/authorino/pkg/utils" @@ -105,11 +105,11 @@ func (u *AuthConfigStatusUpdater) SetupWithManager(mgr ctrl.Manager) error { Complete(u) } -func updateStatusConditions(currentConditions []api.Condition, newCondition api.Condition) ([]api.Condition, bool) { +func updateStatusConditions(currentConditions []api.AuthConfigStatusCondition, newCondition api.AuthConfigStatusCondition) ([]api.AuthConfigStatusCondition, bool) { newCondition.LastTransitionTime = metav1.Now() if currentConditions == nil { - return []api.Condition{newCondition}, true + return []api.AuthConfigStatusCondition{newCondition}, true } for i, condition := range currentConditions { @@ -122,7 +122,7 @@ func updateStatusConditions(currentConditions []api.Condition, newCondition api. newCondition.LastTransitionTime = condition.LastTransitionTime } - res := make([]api.Condition, len(currentConditions)) + res := make([]api.AuthConfigStatusCondition, len(currentConditions)) copy(res, currentConditions) res[i] = newCondition return res, true @@ -143,7 +143,7 @@ func updateStatusAvailable(authConfig *api.AuthConfig, available bool) (changed message = "" } - authConfig.Status.Conditions, changed = updateStatusConditions(authConfig.Status.Conditions, api.Condition{ + authConfig.Status.Conditions, changed = updateStatusConditions(authConfig.Status.Conditions, api.AuthConfigStatusCondition{ Type: api.StatusConditionAvailable, Status: status, Reason: reason, @@ -164,7 +164,7 @@ func updateStatusReady(authConfig *api.AuthConfig, ready bool, reason, message s reason = api.StatusReasonUnknown } - authConfig.Status.Conditions, changed = updateStatusConditions(authConfig.Status.Conditions, api.Condition{ + authConfig.Status.Conditions, changed = updateStatusConditions(authConfig.Status.Conditions, api.AuthConfigStatusCondition{ Type: api.StatusConditionReady, Status: status, Reason: reason, @@ -181,14 +181,14 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c newLinkedHosts = []string{} } - new := api.Summary{ + new := api.AuthConfigStatusSummary{ Ready: authConfig.Status.Ready(), HostsReady: newLinkedHosts, NumHostsReady: fmt.Sprintf("%d/%d", len(newLinkedHosts), len(authConfig.Spec.Hosts)), - NumIdentitySources: int64(len(authConfig.Spec.Identity)), + NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response)), + NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), FestivalWristbandEnabled: issuingWristbands(authConfig), } @@ -213,8 +213,8 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c } func issuingWristbands(authConfig *api.AuthConfig) bool { - for _, responseConfig := range authConfig.Spec.Response { - if responseConfig.GetType() == api.ResponseWristband { + for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata { + if responseConfig.GetMethod() == api.WristbandAuthResponse { return true } } From 4b244a44a886ab3eaa928a33433f36bf992200d1 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:43:52 -0400 Subject: [PATCH 27/31] Tentative at dealing with no opa.External provided Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 36 ++++++++++++++++----------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index a4bde94b..78a97be6 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -377,25 +377,31 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf case api.OpaAuthorization: policyName := authConfig.GetNamespace() + "/" + authConfig.GetName() + "/" + authzName opa := authorization.Opa - externalRegistry := opa.External secret := &v1.Secret{} - var sharedSecret string - if externalRegistry.SharedSecret != nil { - if err := r.Client.Get(ctx, types.NamespacedName{ - Namespace: authConfig.Namespace, - Name: externalRegistry.SharedSecret.Name}, - secret); err != nil { - return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. + var ( + sharedSecret string + externalSource *authorization_evaluators.OPAExternalSource + ) + + if opa.External != nil { + externalRegistry := opa.External + if externalRegistry.SharedSecret != nil { + if err := r.Client.Get(ctx, types.NamespacedName{ + Namespace: authConfig.Namespace, + Name: externalRegistry.SharedSecret.Name}, + secret); err != nil { + return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. + } + sharedSecret = string(secret.Data[externalRegistry.SharedSecret.Key]) } - sharedSecret = string(secret.Data[externalRegistry.SharedSecret.Key]) - } - externalSource := &authorization_evaluators.OPAExternalSource{ - Endpoint: externalRegistry.Url, - SharedSecret: sharedSecret, - AuthCredentials: newAuthCredential(externalRegistry.Credentials), - TTL: externalRegistry.TTL, + externalSource = &authorization_evaluators.OPAExternalSource{ + Endpoint: externalRegistry.Url, + SharedSecret: sharedSecret, + AuthCredentials: newAuthCredential(externalRegistry.Credentials), + TTL: externalRegistry.TTL, + } } var err error From 11a32e6aaf560f85919bc92ee43148b0b6a69b27 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 10:51:24 -0400 Subject: [PATCH 28/31] Tentative at dealing with no Response provided Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 223 +++++++++++---------- controllers/auth_config_controller_test.go | 10 +- controllers/auth_config_status_updater.go | 14 +- 3 files changed, 133 insertions(+), 114 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 78a97be6..03e91261 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -166,6 +166,9 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf authConfigIdentityConfigs := authConfig.Spec.Authentication if len(authConfigIdentityConfigs) == 0 { + if authConfigIdentityConfigs == nil { + authConfigIdentityConfigs = make(map[string]api.AuthenticationSpec) + } authConfigIdentityConfigs["anonymous"] = api.AuthenticationSpec{ CommonEvaluatorSpec: api.CommonEvaluatorSpec{}, Credentials: api.Credentials{}, @@ -472,129 +475,133 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0) - for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers { - translatedResponse := evaluators.NewResponseConfig( - responseName, - headerResponse.Priority, - buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All), - "httpHeader", - headerResponse.Key, - headerResponse.Metrics, - ) + if authConfig.Spec.Response != nil { + for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers { + translatedResponse := evaluators.NewResponseConfig( + responseName, + headerResponse.Priority, + buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All), + "httpHeader", + headerResponse.Key, + headerResponse.Metrics, + ) - if headerResponse.Cache != nil { - ttl := headerResponse.Cache.TTL - if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + if headerResponse.Cache != nil { + ttl := headerResponse.Cache.TTL + if ttl == 0 { + ttl = api.EvaluatorDefaultCacheTTL + } + translatedResponse.Cache = evaluators.NewEvaluatorCache( + *getJsonFromStaticDynamic(&headerResponse.Cache.Key), + ttl, + ) } - translatedResponse.Cache = evaluators.NewEvaluatorCache( - *getJsonFromStaticDynamic(&headerResponse.Cache.Key), - ttl, - ) + interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } - interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } - for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata { - translatedResponse := evaluators.NewResponseConfig( - responseName, - response.Priority, - buildJSONExpression(authConfig, response.Conditions, jsonexp.All), - "envoyDynamicMetadata", - response.Key, - response.Metrics, - ) + if authConfig.Spec.Response != nil { + for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata { + translatedResponse := evaluators.NewResponseConfig( + responseName, + response.Priority, + buildJSONExpression(authConfig, response.Conditions, jsonexp.All), + "envoyDynamicMetadata", + response.Key, + response.Metrics, + ) - if response.Cache != nil { - ttl := response.Cache.TTL - if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL + if response.Cache != nil { + ttl := response.Cache.TTL + if ttl == 0 { + ttl = api.EvaluatorDefaultCacheTTL + } + translatedResponse.Cache = evaluators.NewEvaluatorCache( + *getJsonFromStaticDynamic(&response.Cache.Key), + ttl, + ) } - translatedResponse.Cache = evaluators.NewEvaluatorCache( - *getJsonFromStaticDynamic(&response.Cache.Key), - ttl, - ) - } - switch response.GetMethod() { - // wristband - case api.WristbandAuthResponse: - wristband := response.Wristband - signingKeys := make([]jose.JSONWebKey, 0) + switch response.GetMethod() { + // wristband + case api.WristbandAuthResponse: + wristband := response.Wristband + signingKeys := make([]jose.JSONWebKey, 0) - for _, signingKeyRef := range wristband.SigningKeyRefs { - secret := &v1.Secret{} - secretName := types.NamespacedName{ - Namespace: authConfig.Namespace, - Name: signingKeyRef.Name, - } - if err := r.Client.Get(ctx, secretName, secret); err != nil { - return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. - } else { - if signingKey, err := response_evaluators.NewSigningKey( - signingKeyRef.Name, - string(signingKeyRef.Algorithm), - secret.Data["key.pem"], - ); err != nil { - return nil, err + for _, signingKeyRef := range wristband.SigningKeyRefs { + secret := &v1.Secret{} + secretName := types.NamespacedName{ + Namespace: authConfig.Namespace, + Name: signingKeyRef.Name, + } + if err := r.Client.Get(ctx, secretName, secret); err != nil { + return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. } else { - signingKeys = append(signingKeys, *signingKey) + if signingKey, err := response_evaluators.NewSigningKey( + signingKeyRef.Name, + string(signingKeyRef.Algorithm), + secret.Data["key.pem"], + ); err != nil { + return nil, err + } else { + signingKeys = append(signingKeys, *signingKey) + } } } - } - customClaims := make([]json.JSONProperty, 0) - for claimName, claim := range wristband.CustomClaims { - customClaims = append(customClaims, json.JSONProperty{ - Name: claimName, - Value: json.JSONValue{ - Static: claim.Value, - Pattern: claim.Selector, - }, - }) - } + customClaims := make([]json.JSONProperty, 0) + for claimName, claim := range wristband.CustomClaims { + customClaims = append(customClaims, json.JSONProperty{ + Name: claimName, + Value: json.JSONValue{ + Static: claim.Value, + Pattern: claim.Selector, + }, + }) + } - if authorinoWristband, err := response_evaluators.NewWristbandConfig( - wristband.Issuer, - customClaims, - wristband.TokenDuration, - signingKeys, - ); err != nil { - return nil, err - } else { - translatedResponse.Wristband = authorinoWristband - } + if authorinoWristband, err := response_evaluators.NewWristbandConfig( + wristband.Issuer, + customClaims, + wristband.TokenDuration, + signingKeys, + ); err != nil { + return nil, err + } else { + translatedResponse.Wristband = authorinoWristband + } - // dynamic json - case api.JsonAuthResponse: - jsonProperties := make([]json.JSONProperty, 0) + // dynamic json + case api.JsonAuthResponse: + jsonProperties := make([]json.JSONProperty, 0) + + for propertyName, property := range response.Json.Properties { + jsonProperties = append(jsonProperties, json.JSONProperty{ + Name: propertyName, + Value: json.JSONValue{ + Static: property.Value, + Pattern: property.Selector, + }, + }) + } - for propertyName, property := range response.Json.Properties { - jsonProperties = append(jsonProperties, json.JSONProperty{ - Name: propertyName, - Value: json.JSONValue{ - Static: property.Value, - Pattern: property.Selector, - }, - }) - } + translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) - translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) + // plain + case api.PlainAuthResponse: + translatedResponse.Plain = &response_evaluators.Plain{ + JSONValue: json.JSONValue{ + Static: response.Plain.Value, + Pattern: response.Plain.Selector, + }, + } - // plain - case api.PlainAuthResponse: - translatedResponse.Plain = &response_evaluators.Plain{ - JSONValue: json.JSONValue{ - Static: response.Plain.Value, - Pattern: response.Plain.Selector, - }, + case api.UnknownAuthResponseMethod: + return nil, fmt.Errorf("unknown response type %v", response) } - case api.UnknownAuthResponseMethod: - return nil, fmt.Errorf("unknown response type %v", response) + interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } - - interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } interfacedCallbackConfigs := make([]auth.AuthConfigEvaluator, 0) @@ -634,11 +641,13 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // denyWith - if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil { - translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith) - } - if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil { - translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith) + if authConfig.Spec.Response != nil { + if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil { + translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith) + } + if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil { + translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith) + } } return translatedAuthConfig, nil diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go index f286364f..84e58631 100644 --- a/controllers/auth_config_controller_test.go +++ b/controllers/auth_config_controller_test.go @@ -170,7 +170,7 @@ func TestReconcileAuthConfigOk(t *testing.T) { config := authConfigIndex.Get("echo-api") assert.Check(t, config != nil) idConfig, _ := config.IdentityConfigs[0].(*evaluators.IdentityConfig) - assert.Equal(t, idConfig.ExtendedProperties[0].Name, "source") + assert.Equal(t, idConfig.ExtendedProperties[1].Name, "source") // TODO(@guicassolato): assert other fields of the AuthConfig } @@ -390,6 +390,10 @@ func TestBootstrapIndex(t *testing.T) { indexMock := mock_index.NewMockIndex(mockController) authConfig := newTestAuthConfig(map[string]string{"scope": "in"}) + expectedNumResponseItems := 0 + if authConfig.Spec.Response != nil { + expectedNumResponseItems = len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers) + } authConfig.Status.Summary = api.AuthConfigStatusSummary{ Ready: true, HostsReady: authConfig.Spec.Hosts, @@ -397,7 +401,7 @@ func TestBootstrapIndex(t *testing.T) { NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), + NumResponseItems: int64(expectedNumResponseItems), FestivalWristbandEnabled: false, } @@ -409,7 +413,7 @@ func TestBootstrapIndex(t *testing.T) { NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), + NumResponseItems: int64(expectedNumResponseItems), FestivalWristbandEnabled: false, } diff --git a/controllers/auth_config_status_updater.go b/controllers/auth_config_status_updater.go index 2804d3c7..5793d9bd 100644 --- a/controllers/auth_config_status_updater.go +++ b/controllers/auth_config_status_updater.go @@ -181,6 +181,10 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c newLinkedHosts = []string{} } + numResponseItems := 0 + if authConfig.Spec.Response != nil { + numResponseItems = len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers) + } new := api.AuthConfigStatusSummary{ Ready: authConfig.Status.Ready(), HostsReady: newLinkedHosts, @@ -188,7 +192,7 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c NumIdentitySources: int64(len(authConfig.Spec.Authentication)), NumMetadataSources: int64(len(authConfig.Spec.Metadata)), NumAuthorizationPolicies: int64(len(authConfig.Spec.Authorization)), - NumResponseItems: int64(len(authConfig.Spec.Response.Success.DynamicMetadata) + len(authConfig.Spec.Response.Success.Headers)), + NumResponseItems: int64(numResponseItems), FestivalWristbandEnabled: issuingWristbands(authConfig), } @@ -213,9 +217,11 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c } func issuingWristbands(authConfig *api.AuthConfig) bool { - for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata { - if responseConfig.GetMethod() == api.WristbandAuthResponse { - return true + if authConfig.Spec.Response != nil { + for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata { + if responseConfig.GetMethod() == api.WristbandAuthResponse { + return true + } } } return false From 3d43aefb5c7c9b703ba06ea504c7d1e55743e6cc Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Wed, 4 Sep 2024 19:20:50 -0400 Subject: [PATCH 29/31] Review feedback Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 49 ++++++++++------------- controllers/auth_config_status_updater.go | 5 +++ 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 03e91261..7b32f40c 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -475,8 +475,8 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0) - if authConfig.Spec.Response != nil { - for responseName, headerResponse := range authConfig.Spec.Response.Success.Headers { + if responseConfig := authConfig.Spec.Response; responseConfig != nil { + for responseName, headerResponse := range responseConfig.Success.Headers { translatedResponse := evaluators.NewResponseConfig( responseName, headerResponse.Priority, @@ -486,22 +486,11 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf headerResponse.Metrics, ) - if headerResponse.Cache != nil { - ttl := headerResponse.Cache.TTL - if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL - } - translatedResponse.Cache = evaluators.NewEvaluatorCache( - *getJsonFromStaticDynamic(&headerResponse.Cache.Key), - ttl, - ) - } + injectCache(headerResponse.Cache, translatedResponse) interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } - } - if authConfig.Spec.Response != nil { - for responseName, response := range authConfig.Spec.Response.Success.DynamicMetadata { + for responseName, response := range responseConfig.Success.DynamicMetadata { translatedResponse := evaluators.NewResponseConfig( responseName, response.Priority, @@ -511,16 +500,7 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf response.Metrics, ) - if response.Cache != nil { - ttl := response.Cache.TTL - if ttl == 0 { - ttl = api.EvaluatorDefaultCacheTTL - } - translatedResponse.Cache = evaluators.NewEvaluatorCache( - *getJsonFromStaticDynamic(&response.Cache.Key), - ttl, - ) - } + injectCache(response.Cache, translatedResponse) switch response.GetMethod() { // wristband @@ -641,11 +621,11 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf } // denyWith - if authConfig.Spec.Response != nil { - if denyWith := authConfig.Spec.Response.Unauthenticated; denyWith != nil { + if responseConfig := authConfig.Spec.Response; responseConfig != nil { + if denyWith := responseConfig.Unauthenticated; denyWith != nil { translatedAuthConfig.Unauthenticated = buildAuthorinoDenyWithValues(denyWith) } - if denyWith := authConfig.Spec.Response.Unauthorized; denyWith != nil { + if denyWith := responseConfig.Unauthorized; denyWith != nil { translatedAuthConfig.Unauthorized = buildAuthorinoDenyWithValues(denyWith) } } @@ -653,6 +633,19 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf return translatedAuthConfig, nil } +func injectCache(cache *api.EvaluatorCaching, translatedResponse *evaluators.ResponseConfig) { + if cache != nil { + ttl := cache.TTL + if ttl == 0 { + ttl = api.EvaluatorDefaultCacheTTL + } + translatedResponse.Cache = evaluators.NewEvaluatorCache( + *getJsonFromStaticDynamic(&cache.Key), + ttl, + ) + } +} + func (r *AuthConfigReconciler) addToIndex(ctx context.Context, resourceNamespace, resourceId string, authConfig *evaluators.AuthConfig, hosts []string) (linkedHosts, looseHosts []string, err error) { logger := log.FromContext(ctx) linkedHosts = []string{} diff --git a/controllers/auth_config_status_updater.go b/controllers/auth_config_status_updater.go index 5793d9bd..d21f499a 100644 --- a/controllers/auth_config_status_updater.go +++ b/controllers/auth_config_status_updater.go @@ -218,6 +218,11 @@ func updateStatusSummary(authConfig *api.AuthConfig, newLinkedHosts []string) (c func issuingWristbands(authConfig *api.AuthConfig) bool { if authConfig.Spec.Response != nil { + for _, responseConfig := range authConfig.Spec.Response.Success.Headers { + if responseConfig.GetMethod() == api.WristbandAuthResponse { + return true + } + } for _, responseConfig := range authConfig.Spec.Response.Success.DynamicMetadata { if responseConfig.GetMethod() == api.WristbandAuthResponse { return true From b64deefe145bfd98f4454e48d3eb8be86a7cb9e8 Mon Sep 17 00:00:00 2001 From: Alex Snaps Date: Thu, 5 Sep 2024 07:22:12 -0400 Subject: [PATCH 30/31] Inject response config Signed-off-by: Alex Snaps --- controllers/auth_config_controller.go | 188 ++++++++++++++------------ 1 file changed, 99 insertions(+), 89 deletions(-) diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go index 7b32f40c..cca5ff1f 100644 --- a/controllers/auth_config_controller.go +++ b/controllers/auth_config_controller.go @@ -476,108 +476,37 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf interfacedResponseConfigs := make([]auth.AuthConfigEvaluator, 0) if responseConfig := authConfig.Spec.Response; responseConfig != nil { - for responseName, headerResponse := range responseConfig.Success.Headers { + for responseName, headerSuccessResponse := range responseConfig.Success.Headers { translatedResponse := evaluators.NewResponseConfig( responseName, - headerResponse.Priority, - buildJSONExpression(authConfig, headerResponse.Conditions, jsonexp.All), + headerSuccessResponse.Priority, + buildJSONExpression(authConfig, headerSuccessResponse.Conditions, jsonexp.All), "httpHeader", - headerResponse.Key, - headerResponse.Metrics, + headerSuccessResponse.Key, + headerSuccessResponse.Metrics, ) - injectCache(headerResponse.Cache, translatedResponse) + injectCache(headerSuccessResponse.Cache, translatedResponse) + if err := injectResponseConfig(ctx, authConfig, headerSuccessResponse.SuccessResponseSpec, r, translatedResponse); err != nil { + return nil, err + } + interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) } - for responseName, response := range responseConfig.Success.DynamicMetadata { + for responseName, successResponse := range responseConfig.Success.DynamicMetadata { translatedResponse := evaluators.NewResponseConfig( responseName, - response.Priority, - buildJSONExpression(authConfig, response.Conditions, jsonexp.All), + successResponse.Priority, + buildJSONExpression(authConfig, successResponse.Conditions, jsonexp.All), "envoyDynamicMetadata", - response.Key, - response.Metrics, + successResponse.Key, + successResponse.Metrics, ) - injectCache(response.Cache, translatedResponse) - - switch response.GetMethod() { - // wristband - case api.WristbandAuthResponse: - wristband := response.Wristband - signingKeys := make([]jose.JSONWebKey, 0) - - for _, signingKeyRef := range wristband.SigningKeyRefs { - secret := &v1.Secret{} - secretName := types.NamespacedName{ - Namespace: authConfig.Namespace, - Name: signingKeyRef.Name, - } - if err := r.Client.Get(ctx, secretName, secret); err != nil { - return nil, err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. - } else { - if signingKey, err := response_evaluators.NewSigningKey( - signingKeyRef.Name, - string(signingKeyRef.Algorithm), - secret.Data["key.pem"], - ); err != nil { - return nil, err - } else { - signingKeys = append(signingKeys, *signingKey) - } - } - } - - customClaims := make([]json.JSONProperty, 0) - for claimName, claim := range wristband.CustomClaims { - customClaims = append(customClaims, json.JSONProperty{ - Name: claimName, - Value: json.JSONValue{ - Static: claim.Value, - Pattern: claim.Selector, - }, - }) - } - - if authorinoWristband, err := response_evaluators.NewWristbandConfig( - wristband.Issuer, - customClaims, - wristband.TokenDuration, - signingKeys, - ); err != nil { - return nil, err - } else { - translatedResponse.Wristband = authorinoWristband - } - - // dynamic json - case api.JsonAuthResponse: - jsonProperties := make([]json.JSONProperty, 0) - - for propertyName, property := range response.Json.Properties { - jsonProperties = append(jsonProperties, json.JSONProperty{ - Name: propertyName, - Value: json.JSONValue{ - Static: property.Value, - Pattern: property.Selector, - }, - }) - } - - translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) - - // plain - case api.PlainAuthResponse: - translatedResponse.Plain = &response_evaluators.Plain{ - JSONValue: json.JSONValue{ - Static: response.Plain.Value, - Pattern: response.Plain.Selector, - }, - } - - case api.UnknownAuthResponseMethod: - return nil, fmt.Errorf("unknown response type %v", response) + injectCache(successResponse.Cache, translatedResponse) + if err := injectResponseConfig(ctx, authConfig, successResponse, r, translatedResponse); err != nil { + return nil, err } interfacedResponseConfigs = append(interfacedResponseConfigs, translatedResponse) @@ -633,6 +562,87 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf return translatedAuthConfig, nil } +func injectResponseConfig(ctx context.Context, authConfig *api.AuthConfig, successResponse api.SuccessResponseSpec, r *AuthConfigReconciler, translatedResponse *evaluators.ResponseConfig) error { + switch successResponse.GetMethod() { + // wristband + case api.WristbandAuthResponse: + wristband := successResponse.Wristband + signingKeys := make([]jose.JSONWebKey, 0) + + for _, signingKeyRef := range wristband.SigningKeyRefs { + secret := &v1.Secret{} + secretName := types.NamespacedName{ + Namespace: authConfig.Namespace, + Name: signingKeyRef.Name, + } + if err := r.Client.Get(ctx, secretName, secret); err != nil { + return err // TODO: Review this error, perhaps we don't need to return an error, just reenqueue. + } else { + if signingKey, err := response_evaluators.NewSigningKey( + signingKeyRef.Name, + string(signingKeyRef.Algorithm), + secret.Data["key.pem"], + ); err != nil { + return err + } else { + signingKeys = append(signingKeys, *signingKey) + } + } + } + + customClaims := make([]json.JSONProperty, 0) + for claimName, claim := range wristband.CustomClaims { + customClaims = append(customClaims, json.JSONProperty{ + Name: claimName, + Value: json.JSONValue{ + Static: claim.Value, + Pattern: claim.Selector, + }, + }) + } + + if authorinoWristband, err := response_evaluators.NewWristbandConfig( + wristband.Issuer, + customClaims, + wristband.TokenDuration, + signingKeys, + ); err != nil { + return err + } else { + translatedResponse.Wristband = authorinoWristband + } + + // dynamic json + case api.JsonAuthResponse: + jsonProperties := make([]json.JSONProperty, 0) + + for propertyName, property := range successResponse.Json.Properties { + jsonProperties = append(jsonProperties, json.JSONProperty{ + Name: propertyName, + Value: json.JSONValue{ + Static: property.Value, + Pattern: property.Selector, + }, + }) + } + + translatedResponse.DynamicJSON = response_evaluators.NewDynamicJSONResponse(jsonProperties) + + // plain + case api.PlainAuthResponse: + translatedResponse.Plain = &response_evaluators.Plain{ + JSONValue: json.JSONValue{ + Static: successResponse.Plain.Value, + Pattern: successResponse.Plain.Selector, + }, + } + + case api.UnknownAuthResponseMethod: + return fmt.Errorf("unknown successResponse type %v", successResponse) + } + return nil +} + func injectCache(cache *api.EvaluatorCaching, translatedResponse *evaluators.ResponseConfig) { if cache != nil { ttl := cache.TTL From 7a7d9040e7667319835a7d149d13d4d603604965 Mon Sep 17 00:00:00 2001 From: ehearneredhat Date: Fri, 28 Jun 2024 09:39:26 +0100 Subject: [PATCH 31/31] add build-info (version, git sha, dirty) to the binary Signed-off-by: ehearneredhat Signed-off-by: Guilherme Cassolato --- .github/workflows/build-images.yaml | 16 +++++++--- .gitignore | 1 + Dockerfile | 9 ++++-- Makefile | 47 +++++++++++++++++----------- RELEASE.md | 10 +++--- api/v1beta1/zz_generated.deepcopy.go | 4 +-- api/v1beta2/zz_generated.deepcopy.go | 4 +-- hack/check-git-dirty.sh | 15 +++++++++ main.go | 10 ++++-- 9 files changed, 80 insertions(+), 36 deletions(-) create mode 100755 hack/check-git-dirty.sh diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml index be9a9458..1d987b28 100644 --- a/.github/workflows/build-images.yaml +++ b/.github/workflows/build-images.yaml @@ -30,14 +30,18 @@ jobs: id: add-branch-tag run: | echo "IMG_TAGS=${GITHUB_REF_NAME/\//-} ${{ env.IMG_TAGS }}" >> $GITHUB_ENV - - name: Set Authorino version - id: authorino-version + - name: Set Authorino build info + id: authorino-build-info run: | if [[ ${GITHUB_REF_NAME/\//-} =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then - echo "VERSION=${GITHUB_REF_NAME/\//-}" >> $GITHUB_ENV + tag=${GITHUB_REF_NAME/\//-} + echo "version=${tag#v}" >> $GITHUB_ENV + elif [[ ${GITHUB_REF_NAME/\//-} == "main" ]]; then + echo "version=latest" >> $GITHUB_ENV else - echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV + echo "version=${{ github.ref_name }}" >> $GITHUB_ENV fi + echo "git_sha=${{ github.sha }}" >> $GITHUB_ENV - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Build Image @@ -48,7 +52,9 @@ jobs: tags: ${{ env.IMG_TAGS }} platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le build-args: | - version=${{ env.VERSION }} + git_sha=${{ env.git_sha }} + version=${{ env.version }} + dirty=${{ env.dirty }} containerfiles: | ./Dockerfile - name: Push Image diff --git a/.gitignore b/.gitignore index 423f9c0c..b8fbacc8 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ vendor tmp target .scannerwork +build-recent.yaml diff --git a/Dockerfile b/Dockerfile index f4a4f541..010a6d26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,13 @@ FROM registry.access.redhat.com/ubi9/go-toolset:1.21 AS builder USER root WORKDIR /usr/src/authorino COPY ./ ./ -ARG version=latest -RUN CGO_ENABLED=0 GO111MODULE=on go build -a -ldflags "-X main.version=${version}" -o /usr/bin/authorino main.go +ARG version +ENV version=${version:-unknown} +ARG git_sha +ENV git_sha=${git_sha:-unknown} +ARG dirty +ENV dirty=${dirty:-unknown} +RUN CGO_ENABLED=0 GO111MODULE=on go build -a -ldflags "-X main.version=${version} -X main.gitSHA=${git_sha} -X main.dirty=${dirty}" -o /usr/bin/authorino main.go # Use Red Hat minimal base image to package the binary # https://catalog.redhat.com/software/containers/ubi9-minimal diff --git a/Makefile b/Makefile index 2cf43cdf..17d17838 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,24 @@ # Use bash as shell SHELL = /bin/bash -# Authorino version -VERSION = $(shell git rev-parse HEAD) - # Use vi as default editor EDITOR ?= vi -# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell go env GOBIN)) -GOBIN=$(shell go env GOPATH)/bin +# Set version and image tag +ifeq ($(VERSION),) +VERSION = $(shell git rev-parse --abbrev-ref HEAD) +endif +ifeq ($(VERSION),main) +override VERSION = latest +endif +using_semantic_version := $(shell [[ $(VERSION) =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$$ ]] && echo "true") +ifdef using_semantic_version +IMAGE_TAG=v$(VERSION) else -GOBIN=$(shell go env GOBIN) +IMAGE_TAG=local endif +IMAGE_REPO ?= authorino +AUTHORINO_IMAGE ?= $(IMAGE_REPO):$(IMAGE_TAG) PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) export PATH := $(PROJECT_DIR)/bin:$(PATH) @@ -77,6 +83,13 @@ ifeq ($(SED),) exit 1 endif +# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) +ifeq (,$(shell go env GOBIN)) +GOBIN=$(shell go env GOPATH)/bin +else +GOBIN=$(shell go env GOBIN) +endif + # go-get-tool will 'go install' any package $2 and install it to $1. define go-get-tool @[ -f $(1) ] || { \ @@ -112,22 +125,20 @@ manifests: controller-gen kustomize ## Generates the manifests in $PROJECT_DIR/i controller-gen crd:crdVersions=v1 rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=install/crd output:rbac:artifacts:config=install/rbac && $(KUSTOMIZE) build install > $(AUTHORINO_MANIFESTS) $(MAKE) patch-webhook +run:git_sha=$(shell git rev-parse HEAD) +run:dirty=$(shell $(PROJECT_DIR)/hack/check-git-dirty.sh || echo "unknown") run: generate manifests ## Runs the application against the Kubernetes cluster configured in ~/.kube/config - go run -ldflags "-X main.version=$(VERSION)" ./main.go server + go run -ldflags "-X main.version=$(VERSION) -X main.gitSHA=${git_sha} -X main.dirty=${dirty}" ./main.go server +build:git_sha=$(shell git rev-parse HEAD) +build:dirty=$(shell $(PROJECT_DIR)/hack/check-git-dirty.sh || echo "unknown") build: generate ## Builds the manager binary - CGO_ENABLED=0 GO111MODULE=on go build -a -ldflags "-X main.version=$(VERSION)" -o bin/authorino main.go + CGO_ENABLED=0 GO111MODULE=on go build -a -ldflags "-X main.version=$(VERSION) -X main.gitSHA=${git_sha} -X main.dirty=${dirty}" -o bin/authorino main.go -IMAGE_REPO ?= authorino -using_semantic_version := $(shell [[ $(VERSION) =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$$ ]] && echo "true") -ifdef using_semantic_version -IMAGE_TAG=v$(VERSION) -else -IMAGE_TAG=local -endif -AUTHORINO_IMAGE ?= $(IMAGE_REPO):$(IMAGE_TAG) +docker-build:git_sha=$(shell git rev-parse HEAD) +docker-build:dirty=$(shell $(PROJECT_DIR)/hack/check-git-dirty.sh || echo "unknown") docker-build: ## Builds an image based on the current branch - docker build --build-arg version=$(VERSION) -t $(AUTHORINO_IMAGE) . + docker build --build-arg version=$(VERSION) --build-arg git_sha=$(git_sha) --build-arg dirty=$(dirty) -t $(AUTHORINO_IMAGE) . test: generate manifests envtest ## Runs the tests KUBEBUILDER_ASSETS='$(strip $(shell $(ENVTEST) use -p path 1.21.2 --os linux))' go test ./... -coverprofile cover.out diff --git a/RELEASE.md b/RELEASE.md index cd4aa156..44729aa3 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -2,7 +2,7 @@ ## Process -To release a version “v0.X.Y” of Authorino in GitHub and Quay.io, follow these steps: +To release a version “vX.Y.Z” of Authorino in GitHub and Quay.io, follow these steps: 1. Pick a `` (SHA-1) as source. @@ -10,18 +10,18 @@ To release a version “v0.X.Y” of Authorino in GitHub and Quay.io, follow the git checkout ``` -2. Create a new tag and named release `v0.X.Y`. Push the tag to GitHub. +2. Create a new tag and named release `vX.Y.Z`. Push the tag to GitHub. ```shell -git tag -a v0.X.Y -m "v0.X.Y" -git push origin v0.X.Y +git tag -a vX.Y.Z -m "vX.Y.Z" +git push origin vX.Y.Z ``` Then at the GitHub repository, create a new release from the tag you just pushed. One could start autogenerating the release notes and then write the change notes highlighting all the new features, bug fixes, enhancements, etc. ([example](https://github.com/Kuadrant/authorino/releases/tag/v0.9.0)). -3. Run the GHA ‘Build and push images’ for the `v0.X.Y` tag. This will cause a new image to be built and pushed to quay.io/kuadrant/authorino. +3. Run the GHA ‘Build and push images’ for the `vX.Y.Z` tag. This will cause a new image to be built and pushed to quay.io/kuadrant/authorino. ## Notes on Authorino’s automated builds diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 3fe74ccf..c70bb9df 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1,4 +1,5 @@ //go:build !ignore_autogenerated +// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -122,8 +123,7 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - inVal := (*in)[key] - in, out := &inVal, &outVal + in, out := &val, &outVal *out = make(JSONPatternExpressions, len(*in)) copy(*out, *in) } diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 29171143..3647917e 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -1,4 +1,5 @@ //go:build !ignore_autogenerated +// +build !ignore_autogenerated /* Copyright 2020 Red Hat, Inc. @@ -136,8 +137,7 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) { if val == nil { (*out)[key] = nil } else { - inVal := (*in)[key] - in, out := &inVal, &outVal + in, out := &val, &outVal *out = make(PatternExpressions, len(*in)) copy(*out, *in) } diff --git a/hack/check-git-dirty.sh b/hack/check-git-dirty.sh new file mode 100755 index 00000000..a32333d5 --- /dev/null +++ b/hack/check-git-dirty.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +if ! command -v git &>/dev/null +then + echo "git not found..." >&2 + exit 1 +fi + +if output=$(git diff --stat 2>/dev/null) +then +[ -n "$output" ] && echo "true" || echo "false" +else + # Not a git repository + exit 1 +fi diff --git a/main.go b/main.go index c09243b5..dddc07ee 100644 --- a/main.go +++ b/main.go @@ -73,6 +73,8 @@ const ( var ( // ldflags version string + dirty string + gitSHA string scheme = runtime.NewScheme() logger logr.Logger @@ -373,7 +375,7 @@ func runWebhookServer(cmd *cobra.Command, _ []string) { func setup(cmd *cobra.Command, log logOptions, telemetry telemetryOptions) { setupLogger(log) - logger.Info("booting up authorino", "version", version, "cmd", cmd.Use) + logger.Info("build information", "version", version, "commit", gitSHA, "dirty", dirty, "cmd", cmd.Use) // log the command-line args if logger.V(1).Enabled() { @@ -562,5 +564,9 @@ func timeoutMs(timeout int) time.Duration { } func printVersion(_ *cobra.Command, _ []string) { - fmt.Println("Authorino", version) + if dirty == "true" { + fmt.Printf("Authorino %s (%s-dirty)\n", version, gitSHA) + } else { + fmt.Printf("Authorino %s (%s)\n", version, gitSHA) + } }