Skip to content
This repository has been archived by the owner on Jul 27, 2023. It is now read-only.

Commit

Permalink
feat: api management
Browse files Browse the repository at this point in the history
  • Loading branch information
@jspdown
jspdown authored Mar 21, 2023
1 parent f9aa773 commit d3cad84
Show file tree
Hide file tree
Showing 25 changed files with 1,196 additions and 65 deletions.
5 changes: 1 addition & 4 deletions hack/lint.sh
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
#!/bin/bash

CT_ARGS=""
GIT_SAFE_DIR="false"

if [ "$GIT_SAFE_DIR" != "true" ]; then
git config --global --add safe.directory /charts
fi

CT_ARGS="--charts ${PWD}/charts"

ct lint --config=./.github/chart-testing.yaml
ct lint --config=./.github/chart-testing.yaml --chart-dirs .
4 changes: 2 additions & 2 deletions hub-agent/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: hub-agent
version: 1.2.2
appVersion: "v1.1.0"
version: 1.3.0
appVersion: "v1.2.0"
# Because of https://github.com/helm/helm/issues/3810 the pre-release version suffix has to be define.
# This allows the installation on Kubernetes cluster with a pre-release version (e.g. v1.19.9-gke.1900)
kubeVersion: ">= 1.14.0-0"
Expand Down
186 changes: 177 additions & 9 deletions hub-agent/crds/access-control-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -36,6 +35,63 @@ spec:
spec:
description: AccessControlPolicySpec configures an access control policy.
properties:
apiKey:
description: AccessControlPolicyAPIKey configure an APIKey control
policy.
properties:
forwardHeaders:
additionalProperties:
type: string
description: ForwardHeaders instructs the middleware to forward
key metadata as header values upon successful authentication.
type: object
keySource:
description: KeySource defines how to extract API keys from requests.
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: HeaderAuthScheme sets an optional auth scheme
when Header is set to "Authorization". If set, this scheme
is removed from the token, and all requests not including
it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
keys:
description: Keys define the set of authorized keys to access
a protected resource.
items:
description: AccessControlPolicyAPIKeyKey defines an API key.
properties:
id:
description: ID is the unique identifier of the key.
type: string
metadata:
additionalProperties:
type: string
description: Metadata holds arbitrary metadata for this
key, can be used by ForwardHeaders.
type: object
value:
description: Value is the SHAKE-256 hash (using 64 bytes)
of the API key.
type: string
required:
- id
- value
type: object
minItems: 1
type: array
required:
- keySource
type: object
basicAuth:
description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
configuration.
Expand Down Expand Up @@ -76,8 +132,121 @@ spec:
tokenQueryKey:
type: string
type: object
oAuthIntro:
description: AccessControlOAuthIntro configures an OAuth 2.0 Token
Introspection access control policy.
properties:
claims:
type: string
clientConfig:
description: AccessControlOAuthIntroClientConfig configures the
OAuth 2.0 client for issuing token introspection requests.
properties:
auth:
description: Auth configures the required authentication to
the Authorization Server.
properties:
kind:
description: Kind sets the kind of authentication that
can be used to authenticate requests. The content of
the referenced depends on this kind.
enum:
- Basic
- Bearer
- Header
- Query
type: string
secret:
description: Secret is the reference to the Kubernetes
secrets containing sensitive authentication data.
properties:
name:
description: name is unique within a namespace to
reference a secret resource.
type: string
namespace:
description: namespace defines the space within which
the secret name must be unique.
type: string
type: object
required:
- kind
- secret
type: object
headers:
additionalProperties:
type: string
description: Headers to set when sending requests to the Authorization
Server.
type: object
maxRetries:
default: 3
description: MaxRetries defines the number of retries for
introspection requests.
type: integer
timeoutSeconds:
default: 5
description: TimeoutSeconds configures the maximum amount
of seconds to wait before giving up on requests.
type: integer
tls:
description: TLS configures TLS communication with the Authorization
Server.
properties:
caBundle:
description: CABundle sets the CA bundle used to sign
the Authorization Server certificate.
type: string
insecureSkipVerify:
description: InsecureSkipVerify skips the Authorization
Server certificate validation. For testing purposes
only, do not use in production.
type: boolean
type: object
tokenTypeHint:
description: TokenTypeHint is a hint to pass to the Authorization
Server. See https://tools.ietf.org/html/rfc7662#section-2.1
for more information.
type: string
url:
description: URL of the Authorization Server.
type: string
required:
- auth
- url
type: object
forwardHeaders:
additionalProperties:
type: string
type: object
tokenSource:
description: 'TokenSource describes how to extract tokens from
HTTP requests. If multiple sources are set, the order is the
following: header > query > cookie.'
properties:
cookie:
description: Cookie is the name of a cookie.
type: string
header:
description: Header is the name of a header.
type: string
headerAuthScheme:
description: HeaderAuthScheme sets an optional auth scheme
when Header is set to "Authorization". If set, this scheme
is removed from the token, and all requests not including
it are dropped.
type: string
query:
description: Query is the name of a query parameter.
type: string
type: object
required:
- clientConfig
- tokenSource
type: object
oidc:
description: AccessControlOIDC holds the OIDC authentication configuration.
description: AccessControlPolicyOIDC holds the OIDC authentication
configuration.
properties:
authParams:
additionalProperties:
Expand Down Expand Up @@ -106,11 +275,11 @@ spec:
has enough information to retrieve secret in any namespace
properties:
name:
description: Name is unique within a namespace to reference
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
Expand Down Expand Up @@ -142,7 +311,7 @@ spec:
type: object
type: object
oidcGoogle:
description: AccessControlOIDCGoogle holds the Google OIDC authentication
description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
configuration.
properties:
authParams:
Expand All @@ -155,6 +324,7 @@ spec:
description: Emails are the allowed emails to connect.
items:
type: string
minItems: 1
type: array
forwardHeaders:
additionalProperties:
Expand All @@ -169,11 +339,11 @@ spec:
has enough information to retrieve secret in any namespace
properties:
name:
description: Name is unique within a namespace to reference
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the
description: namespace defines the space within which the
secret name must be unique.
type: string
type: object
Expand Down Expand Up @@ -203,8 +373,6 @@ spec:
secure:
type: boolean
type: object
required:
- emails
type: object
type: object
status:
Expand Down
Loading

0 comments on commit d3cad84

Please sign in to comment.