apiVersion: v1 kind: Namespace metadata: labels: control-plane: authorino-operator name: authorino-operator --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: authorino-operator/authorino-webhook-server-cert controller-gen.kubebuilder.io/version: v0.9.0 name: authconfigs.authorino.kuadrant.io spec: conversion: strategy: Webhook webhook: clientConfig: service: name: authorino-webhooks namespace: authorino-operator path: /convert conversionReviewVersions: - v1beta1 - v1beta2 group: authorino.kuadrant.io names: kind: AuthConfig listKind: AuthConfigList plural: authconfigs singular: authconfig scope: Namespaced versions: - additionalPrinterColumns: - description: Ready for all hosts jsonPath: .status.summary.ready name: Ready type: string - description: Number of hosts ready jsonPath: .status.summary.numHostsReady name: Hosts type: string - description: Number of trusted identity sources jsonPath: .status.summary.numIdentitySources name: Authentication priority: 2 type: integer - description: Number of external metadata sources jsonPath: .status.summary.numMetadataSources name: Metadata priority: 2 type: integer - description: Number of authorization policies jsonPath: .status.summary.numAuthorizationPolicies name: Authorization priority: 2 type: integer - description: Number of items added to the authorization response jsonPath: .status.summary.numResponseItems name: Response priority: 2 type: integer - description: Whether issuing Festival Wristbands jsonPath: .status.summary.festivalWristbandEnabled name: Wristband priority: 2 type: boolean name: v1beta1 schema: openAPIV3Schema: description: AuthConfig is the schema for Authorino's AuthConfig API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Specifies the desired state of the AuthConfig resource, i.e. the authencation/authorization scheme to be applied to protect the matching service hosts. properties: authorization: description: Authorization is the list of authorization policies. All policies in this list MUST evaluate to "true" for a request be successful in the authorization phase. items: description: 'Authorization policy to be enforced. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "opa", "json" or "kubernetes".' oneOf: - properties: name: {} opa: {} required: - name - opa - properties: json: {} name: {} required: - name - json - properties: kubernetes: {} name: {} required: - name - kubernetes - properties: authzed: {} name: {} required: - name - authzed properties: authzed: description: Authzed authorization properties: endpoint: description: Endpoint of the Authzed service. type: string insecure: description: Insecure HTTP connection (i.e. disables TLS verification) type: boolean permission: description: The name of the permission (or relation) on which to execute the check. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object resource: description: The resource on which to check the permission or relation. properties: kind: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object name: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object sharedSecretRef: description: Reference to a Secret key whose value will be used by Authorino to authenticate with the Authzed service. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object subject: description: The subject that will be checked for the permission or relation. properties: kind: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object name: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object required: - endpoint type: object cache: description: Caching options for the policy evaluation results when enforcing this config. Omit it to avoid caching policy evaluation results for this config. properties: key: description: Key used to store the entry in the cache. Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object ttl: default: 60 description: Duration (in seconds) of the external data in the cache before pulled again from the source. type: integer required: - key type: object json: description: JSON pattern matching authorization policy. properties: rules: description: The rules that must all evaluate to "true" for the request to be authorized. items: oneOf: - properties: patternRef: {} required: - patternRef - properties: operator: {} selector: {} value: {} required: - operator - selector - properties: all: {} required: - all - properties: any: {} required: - any properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - rules type: object kubernetes: description: Kubernetes authorization policy based on `SubjectAccessReview` Path and Verb are inferred from the request. properties: groups: description: Groups to test for. items: type: string type: array resourceAttributes: description: Use ResourceAttributes for checking permissions on Kubernetes resources If omitted, it performs a non-resource `SubjectAccessReview`, with verb and path inferred from the request. properties: group: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object name: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object namespace: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object resource: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object subresource: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object verb: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object user: description: User to test for. If without "Groups", then is it interpreted as "What if User were not a member of any groups" properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object required: - user type: object metrics: default: false description: Whether this authorization config should generate individual observability metrics type: boolean name: description: Name of the authorization policy. It can be used to refer to the resolved authorization object in other configs. type: string opa: description: Open Policy Agent (OPA) authorization policy. properties: allValues: default: false description: Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. Otherwise, only the default `allow` rule will be exposed. Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. type: boolean externalRegistry: description: External registry of OPA policies. properties: credentials: description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header - query - cookie type: string keySelector: description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: description: Endpoint of the HTTP external registry. The endpoint must respond with either plain/text or application/json content-type. In the latter case, the JSON returned in the body must include a path `result.raw`, where the raw Rego policy will be extracted from. This complies with the specification of the OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy). type: string sharedSecretRef: description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object ttl: description: Duration (in seconds) of the external data in the cache before pulled again from the source. type: integer type: object inlineRego: description: Authorization policy as a Rego language document. The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). The Rego document must NOT include the "package" declaration in line 1. type: string type: object priority: default: 0 description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: description: Conditions for Authorino to enforce this authorization policy. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: patternRef: {} required: - patternRef - properties: operator: {} selector: {} value: {} required: - operator - selector - properties: all: {} required: - all - properties: any: {} required: - any properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - name type: object type: array callbacks: description: List of callback configs. Authorino sends callbacks to specified endpoints at the end of the auth pipeline. items: description: Endpoints to callback at the end of each auth pipeline. properties: http: description: Generic HTTP interface to obtain authorization metadata from a HTTP service. properties: body: description: Raw body of the HTTP request. Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: description: Custom parameters to encode in the body of the HTTP request. Superseded by 'body'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array contentType: default: application/x-www-form-urlencoded description: Content-Type of the request body. Shapes how 'bodyParameters' are encoded. Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header - query - cookie type: string keySelector: description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: description: Endpoint of the HTTP service. The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array method: default: GET description: 'HTTP verb used in the request to the service. Accepted values: GET (default), POST. When the request method is POST, the authorization JSON is passed in the body of the request.' enum: - GET - POST type: string oauth2: description: Authentication with the HTTP service by OAuth2 Client Credentials grant. properties: cache: default: true description: Caches and reuses the token until expired. Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. type: string clientSecretRef: description: Reference to a Kubernetes Secret key that stores that OAuth2 Client Secret. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object extraParams: additionalProperties: type: string description: Optional extra parameters for the requests to the token URL. type: object scopes: description: Optional scopes for the client credentials grant, if supported by he OAuth2 server. items: type: string type: array tokenUrl: description: Token endpoint URL of the OAuth2 resource server. type: string required: - clientId - clientSecretRef - tokenUrl type: object sharedSecretRef: description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object required: - endpoint type: object metrics: default: false description: Whether this callback config should generate individual observability metrics type: boolean name: description: Name of the callback. It can be used to refer to the resolved callback response in other configs. type: string priority: default: 0 description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: description: Conditions for Authorino to perform this callback. If omitted, the callback will be attempted for all requests. If present, all conditions must match for the callback to be attempted; otherwise, the callback will be skipped. items: properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - http - name type: object type: array denyWith: description: Custom denial response codes, statuses and headers to override default 40x's. properties: unauthenticated: description: Denial status customization when the request is unauthenticated. properties: body: description: HTTP response body to override the default denial body. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object code: description: HTTP status code to override the default denial status code. format: int64 maximum: 599 minimum: 300 type: integer headers: description: HTTP response headers to override the default denial headers. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array message: description: HTTP message to override the default denial message. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object unauthorized: description: Denial status customization when the request is unauthorized. properties: body: description: HTTP response body to override the default denial body. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object code: description: HTTP status code to override the default denial status code. format: int64 maximum: 599 minimum: 300 type: integer headers: description: HTTP response headers to override the default denial headers. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array message: description: HTTP message to override the default denial message. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object type: object type: object hosts: description: The list of public host names of the services protected by this authentication/authorization scheme. Authorino uses the requested host to lookup for the corresponding authentication/authorization configs to enforce. items: type: string type: array identity: description: List of identity sources/authentication modes. At least one config of this list MUST evaluate to a valid identity for a request to be successful in the identity verification phase. items: description: 'The identity source/authentication mode config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "oicd", "apiKey" or "kubernetes".' oneOf: - properties: credentials: {} name: {} oauth2: {} required: - name - oauth2 - properties: credentials: {} name: {} oidc: {} required: - name - oidc - properties: apiKey: {} credentials: {} name: {} required: - name - apiKey - properties: credentials: {} mtls: {} name: {} required: - name - mtls - properties: credentials: {} kubernetes: {} name: {} required: - name - kubernetes - properties: anonymous: {} credentials: {} name: {} required: - name - anonymous - properties: credentials: {} name: {} plain: {} required: - name - plain properties: anonymous: type: object apiKey: properties: allNamespaces: default: false description: Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets from the cluster storing valid credentials to authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object required: - selector type: object cache: description: Caching options for the identity resolved when applying this config. Omit it to avoid caching identity objects for this config. properties: key: description: Key used to store the entry in the cache. Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object ttl: default: 60 description: Duration (in seconds) of the external data in the cache before pulled again from the source. type: integer required: - key type: object credentials: description: Defines where client credentials are required to be passed in the request for this identity source/authentication mode. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the credentials value (token, API key, etc). properties: in: default: authorization_header description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header - query - cookie type: string keySelector: description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object extendedProperties: description: Extends the resolved identity object with additional custom properties before appending to the authorization JSON. It requires the resolved identity object to always be of the JSON type 'object'. Other JSON types (array, string, etc) will break. items: properties: name: description: The name of the JSON property type: string overwrite: default: false description: Whether the value should overwrite the value of an existing property with the same name. type: boolean value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array kubernetes: properties: audiences: description: The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. items: type: string type: array type: object metrics: default: false description: Whether this identity config should generate individual observability metrics type: boolean mtls: properties: allNamespaces: default: false description: Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. Enabling this option in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate clients trying to authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object required: - selector type: object name: description: The name of this identity source/authentication mode. It usually identifies a source of identities or group of users/clients of the protected service. It can be used to refer to the resolved identity object in other configs. type: string oauth2: properties: credentialsRef: description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the OAuth2 server. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object tokenIntrospectionUrl: description: The full URL of the token introspection endpoint. type: string tokenTypeHint: description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: - credentialsRef - tokenIntrospectionUrl type: object oidc: properties: endpoint: description: Endpoint of the OIDC issuer. Authorino will append to this value the well-known path to the OpenID Connect discovery endpoint (i.e. "/.well-known/openid-configuration"), used to automatically discover the OpenID Connect configuration, whose set of claims is expected to include (among others) the "jkws_uri" claim. The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. type: string ttl: description: Decides how long to wait before refreshing the OIDC configuration (in seconds). type: integer required: - endpoint type: object plain: properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object priority: default: 0 description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: description: Conditions for Authorino to enforce this identity config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: patternRef: {} required: - patternRef - properties: operator: {} selector: {} value: {} required: - operator - selector - properties: all: {} required: - all - properties: any: {} required: - any properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - name type: object type: array metadata: description: List of metadata source configs. Authorino fetches JSON content from sources on this list on every request. items: description: 'The metadata config. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "http", userInfo" or "uma".' oneOf: - properties: name: {} userInfo: {} required: - name - userInfo - properties: name: {} uma: {} required: - name - uma - properties: http: {} name: {} required: - name - http properties: cache: description: Caching options for the external metadata fetched when applying this config. Omit it to avoid caching metadata from this source. properties: key: description: Key used to store the entry in the cache. Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object ttl: default: 60 description: Duration (in seconds) of the external data in the cache before pulled again from the source. type: integer required: - key type: object http: description: Generic HTTP interface to obtain authorization metadata from a HTTP service. properties: body: description: Raw body of the HTTP request. Supersedes 'bodyParameters'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object bodyParameters: description: Custom parameters to encode in the body of the HTTP request. Superseded by 'body'; use either one or the other. Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array contentType: default: application/x-www-form-urlencoded description: Content-Type of the request body. Shapes how 'bodyParameters' are encoded. Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: description: Defines where client credentials will be passed in the request to the service. If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. properties: in: default: authorization_header description: The location in the request where client credentials shall be passed on requests authenticating with this identity source/authentication mode. enum: - authorization_header - custom_header - query - cookie type: string keySelector: description: Used in conjunction with the `in` parameter. When used with `authorization_header`, the value is the prefix of the client credentials string, separated by a white-space, in the HTTP Authorization header (e.g. "Bearer", "Basic"). When used with `custom_header`, `query` or `cookie`, the value is the name of the HTTP header, query string parameter or cookie key, respectively. type: string required: - keySelector type: object endpoint: description: Endpoint of the HTTP service. The endpoint accepts variable placeholders in the format "{selector}", where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path} type: string headers: description: Custom headers in the HTTP request. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array method: default: GET description: 'HTTP verb used in the request to the service. Accepted values: GET (default), POST. When the request method is POST, the authorization JSON is passed in the body of the request.' enum: - GET - POST type: string oauth2: description: Authentication with the HTTP service by OAuth2 Client Credentials grant. properties: cache: default: true description: Caches and reuses the token until expired. Set it to false to force fetch the token at every authorization request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. type: string clientSecretRef: description: Reference to a Kubernetes Secret key that stores that OAuth2 Client Secret. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object extraParams: additionalProperties: type: string description: Optional extra parameters for the requests to the token URL. type: object scopes: description: Optional scopes for the client credentials grant, if supported by he OAuth2 server. items: type: string type: array tokenUrl: description: Token endpoint URL of the OAuth2 resource server. type: string required: - clientId - clientSecretRef - tokenUrl type: object sharedSecretRef: description: Reference to a Secret key whose value will be passed by Authorino in the request. The HTTP service can use the shared secret to authenticate the origin of the request. Ignored if used together with oauth2. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: The name of the secret in the Authorino's namespace to select from. type: string required: - key - name type: object required: - endpoint type: object metrics: default: false description: Whether this metadata config should generate individual observability metrics type: boolean name: description: The name of the metadata source. It can be used to refer to the resolved metadata object in other configs. type: string priority: default: 0 description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer uma: description: User-Managed Access (UMA) source of resource data. properties: credentialsRef: description: Reference to a Kubernetes secret in the same namespace, that stores client credentials to the resource registration API of the UMA server. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object endpoint: description: The endpoint of the UMA server. The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. type: string required: - credentialsRef - endpoint type: object userInfo: description: OpendID Connect UserInfo linked to an OIDC identity config of this same spec. properties: identitySource: description: The name of an OIDC identity source included in the "identity" section and whose OpenID Connect configuration discovered includes the OIDC "userinfo_endpoint" claim. type: string required: - identitySource type: object when: description: Conditions for Authorino to apply this metadata config. If omitted, the config will be applied for all requests. If present, all conditions must match for the config to be applied; otherwise, the config will be skipped. items: oneOf: - properties: patternRef: {} required: - patternRef - properties: operator: {} selector: {} value: {} required: - operator - selector - properties: all: {} required: - all - properties: any: {} required: - any properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array required: - name type: object type: array patterns: additionalProperties: items: properties: operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array description: Named sets of JSON patterns that can be referred in `when` conditionals and in JSON-pattern matching policy rules. type: object response: description: List of response configs. Authorino gathers data from the auth pipeline to build custom responses for the client. items: description: 'Dynamic response to return to the client. Apart from "name", one of the following parameters is required and only one of the following parameters is allowed: "wristband" or "json".' oneOf: - properties: name: {} wristband: {} required: - name - wristband - properties: json: {} name: {} required: - name - json - properties: name: {} plain: {} required: - name - plain properties: cache: description: Caching options for dynamic responses built when applying this config. Omit it to avoid caching dynamic responses for this config. properties: key: description: Key used to store the entry in the cache. Cache entries from different metadata configs are stored and managed separately regardless of the key. properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object ttl: default: 60 description: Duration (in seconds) of the external data in the cache before pulled again from the source. type: integer required: - key type: object json: properties: properties: description: List of JSON property-value pairs to be added to the dynamic response. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array required: - properties type: object metrics: default: false description: Whether this response config should generate individual observability metrics type: boolean name: description: Name of the custom response. It can be used to refer to the resolved response object in other configs. type: string plain: description: StaticOrDynamicValue is either a constant static string value or a config for fetching a value from a dynamic source (e.g. a path pattern of authorization JSON) properties: value: description: Static value type: string valueFrom: description: Dynamic value properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object type: object priority: default: 0 description: Priority group of the config. All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. type: integer when: description: Conditions for Authorino to enforce this custom response config. If omitted, the config will be enforced for all requests. If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. items: oneOf: - properties: patternRef: {} required: - patternRef - properties: operator: {} selector: {} value: {} required: - operator - selector - properties: all: {} required: - all - properties: any: {} required: - any properties: all: description: A list of pattern expressions to be evaluated as a logical AND. items: type: object x-kubernetes-preserve-unknown-fields: true type: array any: description: A list of pattern expressions to be evaluated as a logical OR. items: type: object x-kubernetes-preserve-unknown-fields: true type: array operator: description: 'The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq - incl - excl - matches type: string patternRef: description: Name of a named pattern type: string selector: description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson. The value is used to fetch content from the input authorization JSON built by Authorino along the identity and metadata phases. type: string value: description: The value of reference for the comparison with the content fetched from the authorization JSON. If used with the "matches" operator, the value must compile to a valid Golang regex. type: string type: object type: array wrapper: default: httpHeader description: How Authorino wraps the response. Use "httpHeader" (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata" to wrap the response as Envoy Dynamic Metadata enum: - httpHeader - envoyDynamicMetadata type: string wrapperKey: description: The name of key used in the wrapped response (name of the HTTP header or property of the Envoy Dynamic Metadata JSON). If omitted, it will be set to the name of the configuration. type: string wristband: properties: customClaims: description: Any claims to be added to the wristband token apart from the standard JWT claims (iss, iat, exp) added by default. items: properties: name: description: The name of the JSON property type: string value: description: Static value of the JSON property x-kubernetes-preserve-unknown-fields: true valueFrom: description: Dynamic value of the JSON property properties: authJSON: description: 'Selector to fetch a value from the authorization JSON. It can be any path pattern to fetch from the authorization JSON (e.g. ''context.request.http.host'') or a string template with variable placeholders that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. The following string modifiers are available: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip.' type: string type: object required: - name type: object type: array issuer: description: 'The endpoint to the Authorino service that issues the wristband (format: ://:/, where = /://:/, where = /://:/, where = /