diff --git a/bundle.Dockerfile b/bundle.Dockerfile index 7d38e3351..b0e0cab55 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -5,7 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=kuadrant-operator -LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channels.v1=preview LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml index 1238b6533..2d1095fbd 100644 --- a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml @@ -105,13 +105,13 @@ metadata: ] capabilities: Basic Install categories: Integration & Delivery - containerImage: quay.io/kuadrant/kuadrant-operator:latest - createdAt: "2024-04-22T18:17:29Z" + containerImage: quay.io/kuadrant/kuadrant-operator:v0.7.0-rc1 + createdAt: "2024-04-23T17:37:24Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/kuadrant-operator support: kuadrant - name: kuadrant-operator.v0.0.0 + name: kuadrant-operator.v0.7.0-rc1 namespace: placeholder spec: apiservicedefinitions: {} @@ -599,8 +599,8 @@ spec: - /manager env: - name: RELATED_IMAGE_WASMSHIM - value: oci://quay.io/kuadrant/wasm-shim:latest - image: quay.io/kuadrant/kuadrant-operator:latest + value: oci://quay.io/kuadrant/wasm-shim:v0.4.0-rc1 + image: quay.io/kuadrant/kuadrant-operator:v0.7.0-rc1 livenessProbe: httpGet: path: /healthz @@ -702,7 +702,7 @@ spec: name: Red Hat url: https://github.com/Kuadrant/kuadrant-operator relatedImages: - - image: oci://quay.io/kuadrant/wasm-shim:latest + - image: oci://quay.io/kuadrant/wasm-shim:v0.4.0-rc1 name: wasmshim - replaces: kuadrant-operator.v0.0.0-alpha - version: 0.0.0 + replaces: kuadrant-operator.v0.6.1 + version: 0.7.0-rc1 diff --git a/bundle/manifests/kuadrant.io_authpolicies.yaml b/bundle/manifests/kuadrant.io_authpolicies.yaml index 8b449f832..c522ea84c 100644 --- a/bundle/manifests/kuadrant.io_authpolicies.yaml +++ b/bundle/manifests/kuadrant.io_authpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: app: kuadrant @@ -48,42 +48,37 @@ spec: workloads in a Gateway API network properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: |- - RouteSelectors - implicit default validation - RouteSelectors - explicit default validation - RouteSelectors - explicit overrides validation + description: RouteSelectors - implicit default validation RouteSelectors + - explicit default validation RouteSelectors - explicit overrides validation Mutual Exclusivity Validation properties: defaults: - description: |- - Defaults define explicit default values for this policy and for policies inheriting this policy. - Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec. + description: Defaults define explicit default values for this policy + and for policies inheriting this policy. Defaults are mutually exclusive + with implicit defaults defined by AuthPolicyCommonSpec. properties: patterns: additionalProperties: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -92,15 +87,17 @@ spec: - matches type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. Authorino custom JSON path modifiers are also + supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -108,107 +105,93 @@ spec: conditions and in pattern-matching authorization policy rules. type: object routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service. - At least one selected HTTPRoute rule must match to trigger the AuthPolicy. - If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes. + description: Top-level route selectors. If present, the elements + will be used to select HTTPRoute rules that, when activated, + trigger the external authorization service. At least one selected + HTTPRoute rule must match to trigger the AuthPolicy. If no route + selectors are specified, the AuthPolicy will be enforced at + all requests to the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching an + HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that should + match against the HTTP Host header to select a HTTPRoute + to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain name + of a network host. This matches the RFC 1123 definition + of a hostname with 2 notable exceptions: \n 1. IPs are + not allowed. 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear by itself + as the first label. \n Hostname can be \"precise\" which + is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which + is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). \n Note that as per RFC1035 + and RFC1123, a *label* must consist of lower case alphanumeric + characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given\naction. Multiple match - types are ANDed together, i.e. the match will\nevaluate - to true only if all conditions are satisfied.\n\n\nFor + to match requests to a given action. Multiple match + types are ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only - if its path\nstarts with `/foo` AND it contains the - `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + if its path starts with `/foo` AND it contains the `version: + v1` header: \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request header + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with an + equivalent name MUST be considered for a match. + Subsequent entries with an equivalent header + name MUST be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated in + an HTTP request, it is implementation-specific + behavior as to how this is represented. Generally, + proxies should follow the guidance from the + RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with + special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match against + the value of the header. \n Support: Core + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -229,13 +212,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched only + if the request has the specified method. \n Support: + Extended" enum: - GET - HEAD @@ -251,20 +231,15 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix + match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -324,60 +299,51 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes how to + select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of the HTTP query + param to be matched. This must be an exact + string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry with + an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + query param name MUST be ignored. \n If a + query param is repeated in an HTTP request, + the behavior is purposely left undefined, + since different data planes have different + capabilities. However, it is *recommended* + that implementations should match against + the first value of the param if the data plane + supports it, as this behavior is expected + in other load balancing contexts outside of + the Gateway API. \n Users SHOULD NOT route + traffic based on repeated query params to + guard themselves against potential differences + in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -404,9 +370,8 @@ spec: maxItems: 15 type: array rules: - description: |- - The auth rules of the policy. - See Authorino's AuthConfig CRD for more details. + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. properties: authentication: additionalProperties: @@ -420,9 +385,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API + key secrets in all namespaces or only in the same + namespace as the AuthConfig. Enabling this option + in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to @@ -434,24 +400,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -464,10 +434,12 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -475,20 +447,26 @@ spec: - selector type: object cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -504,9 +482,11 @@ spec: - key type: object credentials: - description: |- - Defines where credentials are required to be passed in the request for authentication based on this config. - If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + description: Defines where credentials are required + to be passed in the request for authentication based + on this config. If omitted, it defaults to credentials + passed in the HTTP Authorization header and the "Bearer" + prefix prepended to the secret credential value. properties: authorizationHeader: properties: @@ -539,45 +519,58 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Set default property values (claims) for the resolved identity object, that are set before appending the object to - the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). + description: Set default property values (claims) for + the resolved identity object, that are set before + appending the object to the authorization JSON. If + the property is already present in the resolved identity + object, the default value is ignored. It requires + the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other + JSON types (array, string, etc). type: object jwt: description: Authentication based on JWT tokens. properties: issuerUrl: - description: |- - URL of the issuer of the JWT. - If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint - (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain - the "jkws_uri" claim from. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to + the OpenID Connect Well-Known Discovery endpoint + (i.e. "/.well-known/openid-configuration") to + this URL, to discover the OIDC configuration where + to obtain the "jkws_uri" claim from. The value + must coincide with the value of the "iss" (issuer) + claim of the discovered OpenID Connect configuration. type: string ttl: - description: |- - Decides how long to wait before refreshing the JWKS (in seconds). - If omitted, Authorino will never refresh the JWKS. + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. type: integer type: object kubernetesTokenReview: description: Authentication by Kubernetes token review. properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that + must be claimed in a Kubernetes authentication + token supplied in the request, and reviewed by + Authorino. If omitted, Authorino will review tokens + expecting the host name of the requested protected + service amongst the audiences. items: type: string type: array @@ -596,10 +589,10 @@ spec: to the OAuth2 server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic @@ -608,8 +601,7 @@ spec: endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -620,144 +612,158 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Overrides the resolved identity object by setting the additional properties (claims) specified in this config, - before appending the object to the authorization JSON. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). + description: Overrides the resolved identity object + by setting the additional properties (claims) specified + in this config, before appending the object to the + authorization JSON. It requires the resolved identity + object to always be a JSON object. Do not use this + option with identity objects of other JSON types (array, + string, etc). type: object plain: - description: |- - Identity object extracted from the context. - Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string required: - selector type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -778,13 +784,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -800,20 +803,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -875,60 +875,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -955,10 +956,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -976,9 +978,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -991,57 +996,66 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array x509: - description: |- - Authentication based on client X.509 certificates. - The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be + signed by a trusted CA whose certificates are stored + in Kubernetes secrets. properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS + secrets in all namespaces or only in the same + namespace as the AuthConfig. Enabling this option + in namespaced Authorino instances has no effect. type: boolean selector: - description: |- - Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate - clients trying to authenticate to this service + description: Label selector used by Authorino to + match secrets from the cluster storing trusted + CA certificates to validate clients trying to + authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -1054,10 +1068,12 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1065,29 +1081,35 @@ spec: - selector type: object type: object - description: |- - Authentication configs. - At least one config MUST evaluate to a valid identity object for the auth request to be successful. + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request + to be successful. maxProperties: 10 type: object authorization: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1113,35 +1135,47 @@ spec: type: string type: array resourceAttributes: - description: |- - Use resourceAttributes to check permissions on Kubernetes resources. - If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs + a non-resource SubjectAccessReview, with verb + and path inferred from the request. properties: group: - description: |- - API group of the resource. - Use '*' for all API groups. + description: API group of the resource. Use + '*' for all API groups. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object name: - description: |- - Resource name - Omit it to check for authorization on all resources of the specified kind. + description: Resource name Omit it to check + for authorization on all resources of the + specified kind. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1152,25 +1186,36 @@ spec: permissions on the resource. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object resource: - description: |- - Resource kind - Use '*' for all resource kinds. + description: Resource kind Use '*' for all resource + kinds. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1180,25 +1225,36 @@ spec: description: Subresource kind properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object verb: - description: |- - Verb to check for authorization on the resource. - Use '*' for all verbs. + description: Verb to check for authorization + on the resource. Use '*' for all verbs. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1206,15 +1262,21 @@ spec: type: object type: object user: - description: |- - User to check for authorization in the Kubernetes RBAC. - Omit it to check for group authorization only. + description: User to check for authorization in + the Kubernetes RBAC. Omit it to check for group + authorization only. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1231,29 +1293,41 @@ spec: properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules + in the virtual document. Values can be read in + subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will + be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation + (policy precompile) and at runtime. type: boolean externalPolicy: - description: |- - Settings for fetching the OPA policy from an external registry. - Use it alternatively to 'rego'. - For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', - 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + description: 'Settings for fetching the OPA policy + from an external registry. Use it alternatively + to ''rego''. For the configurations of the HTTP + request, the following options are not implemented: + ''method'', ''body'', ''bodyParameters'', ''contentType'', + ''headers'', ''oauth2''. Use it only with: ''url'', + ''sharedSecret'', ''credentials''.' properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' + (placeholders can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1263,33 +1337,45 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in + the body of the HTTP request. Superseded by + 'body'; use either one or the other. Use it + with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders + can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. + Shapes how 'bodyParameters' are encoded. Use + it with method=POST; for GET requests, Content-Type + is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials + will be passed in the request to the service. + If omitted, it defaults to client credentials + passed in the HTTP Authorization header and + the "Bearer" prefix expected prepended to + the secret value. properties: authorizationHeader: properties: @@ -1322,10 +1408,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1335,9 +1427,11 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request + to the service. Accepted values: GET (default), + POST. When the request method is POST, the + authorization JSON is passed in the body of + the request.' enum: - GET - POST @@ -1355,9 +1449,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token + until expired. Set it to false to force + fetch the token at every authorization + request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1403,9 +1498,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose + value will be passed by Authorino in the request. + The HTTP service can use the shared secret + to authenticate the origin of the request. Ignored if used together with oauth2. properties: key: @@ -1426,20 +1522,23 @@ spec: the source. type: integer url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. + The value can include variable placeholders + in the format "{selector}", where "selector" + is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url type: object rego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" + declaration in line 1. type: string type: object patternMatching: @@ -1463,9 +1562,13 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -1478,15 +1581,18 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. type: string type: object type: array @@ -1495,113 +1601,115 @@ spec: type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -1622,13 +1730,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -1644,20 +1749,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -1719,60 +1821,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -1815,10 +1918,16 @@ spec: on which to execute the check. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1831,10 +1940,16 @@ spec: kind: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1843,10 +1958,16 @@ spec: name: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1877,10 +1998,16 @@ spec: kind: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1889,10 +2016,16 @@ spec: name: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1903,10 +2036,11 @@ spec: - endpoint type: object when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -1924,9 +2058,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1939,42 +2076,49 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array type: object - description: |- - Authorization policies. - All policies MUST evaluate to "allowed = true" for the auth request be successful. + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. maxProperties: 10 type: object callbacks: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1993,16 +2137,23 @@ spec: description: Settings of the external HTTP request properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2012,33 +2163,43 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2071,10 +2232,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2084,9 +2251,10 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' enum: - GET - POST @@ -2104,9 +2272,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2150,10 +2319,11 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. properties: key: description: The key of the secret to select @@ -2168,10 +2338,11 @@ spec: - name type: object url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: @@ -2184,113 +2355,115 @@ spec: type: boolean priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2311,13 +2484,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -2333,20 +2503,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -2408,60 +2575,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2488,10 +2656,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -2509,9 +2678,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -2524,44 +2696,52 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array required: - http type: object - description: |- - Callback functions. - Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + description: Callback functions. Authorino sends callbacks + at the end of the auth pipeline to the endpoints specified + in this config. maxProperties: 10 type: object metadata: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2581,16 +2761,23 @@ spec: request properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2600,33 +2787,43 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2659,10 +2856,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2672,9 +2875,10 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' enum: - GET - POST @@ -2692,9 +2896,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2738,10 +2943,11 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. properties: key: description: The key of the secret to select @@ -2756,10 +2962,11 @@ spec: - name type: object url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: @@ -2772,113 +2979,115 @@ spec: type: boolean priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2899,13 +3108,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -2921,20 +3127,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -2996,60 +3199,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -3085,17 +3289,18 @@ spec: to the resource registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The + value must coincide with the "issuer" claim of + the UMA config discovered from the well-known + uma configuration endpoint. type: string required: - credentialsRef @@ -3114,10 +3319,11 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -3135,9 +3341,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -3150,52 +3359,64 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array type: object - description: |- - Metadata sources. - Authorino fetches auth metadata as JSON from sources specified in this config. + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. maxProperties: 10 type: object response: - description: |- - Response items. - Authorino builds custom responses to the client of the auth request. + description: Response items. Authorino builds custom responses + to the client of the auth request. properties: success: - description: |- - Response items to be included in the auth response when the request is authenticated and authorized. - For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + description: Response items to be included in the auth + response when the request is authenticated and authorized. + For integration of Authorino via proxy, the proxy must + use these settings to propagate dynamic metadata and/or + inject data in the request. properties: dynamicMetadata: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved + object returned when applying this config. + Omit it to avoid caching objects for this + config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry + in the cache. The resolved key must be + unique within the scope of this particular + config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables that + resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3211,18 +3432,27 @@ spec: - key type: object json: - description: |- - JSON object - Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + description: JSON object Specify it as the list + of properties of the object, whose values + can combine static values and values selected + from the authorization JSON. properties: properties: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector + to fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables + that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3233,9 +3463,11 @@ spec: - properties type: object key: - description: |- - The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). - If omitted, it will be set to the name of the response config. + description: The key used to add the custom + response item (name of the HTTP header or + root property of the Dynamic Metadata object). + If omitted, it will be set to the name of + the response config. type: string metrics: default: false @@ -3246,10 +3478,16 @@ spec: description: Plain text content properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -3257,115 +3495,134 @@ spec: type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All + configs in the same priority group are evaluated + concurrently; consecutive priority groups + are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute + rules that, when activated, trigger the auth + rule. At least one selected HTTPRoute rule + must match to trigger the auth rule. If no + route selectors are specified, the auth rule + will be evaluated at all requests to the protected + routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions + description: RouteSelector defines semantics + for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of + hostname that should match against the + HTTP Host header to select a HTTPRoute + to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully + qualified domain name of a network + host. This matches the RFC 1123 definition + of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label + (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain + name without the terminating dot of + a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain + name prefixed with a single wildcard + label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a + *label* must consist of lower case + alphanumeric characters or '-', and + must start and end with an alphanumeric + character. No other punctuation is + allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions + used for matching the rule against incoming + HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to match requests - to a given\naction. Multiple match + to a given action. Multiple match types are ANDed together, i.e. the - match will\nevaluate to true only - if all conditions are satisfied.\n\n\nFor + match will evaluate to true only if + all conditions are satisfied. \n For example, the match below will match - a HTTP request only if its path\nstarts + a HTTP request only if its path starts with `/foo` AND it contains the `version: - v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- - name: \"version\"\n\t value \"v1\"\n\n\n```" + v1` header: \n ``` match: \n path: + value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP + request header matchers. Multiple + match values are ANDed together, + meaning, a request must match + all the specified headers to select + the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by + matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the + name of the HTTP Header + to be matched. Name matching + MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify + equivalent header names, + only the first entry with + an equivalent name MUST + be considered for a match. + Subsequent entries with + an equivalent header name + MUST be ignored. Due to + the case-insensitivity of + header names, \"foo\" and + \"Foo\" are considered equivalent. + \n When a header is repeated + in an HTTP request, it is + implementation-specific + behavior as to how this + is represented. Generally, + proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling + for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies + how to match against the + value of the header. \n + Support: Core (Exact) \n + Support: Implementation-specific + (RegularExpression) \n Since + RegularExpression HeaderMatchType + has implementation-specific + conformance, implementations + can support POSIX, PCRE + or any other dialects of + regular expressions. Please + read the implementation's + documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -3387,13 +3644,11 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP + method matcher. When specified, + this route will be matched only + if the request has the specified + method. \n Support: Extended" enum: - GET - HEAD @@ -3409,20 +3664,19 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP + request path matcher. If this + field is not specified, a default + prefix match on the "/" path is + provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies + how to match against the path + Value. \n Support: Core (Exact, + PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -3493,60 +3747,73 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies + HTTP query parameter matchers. + Multiple match values are ANDed + together, meaning, a request must + match all the specified query + parameters to select the route. + \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch + describes how to select a HTTP + route by matching HTTP query + parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the + name of the HTTP query param + to be matched. This must + be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify + equivalent query param names, + only the first entry with + an equivalent name MUST + be considered for a match. + Subsequent entries with + an equivalent query param + name MUST be ignored. \n + If a query param is repeated + in an HTTP request, the + behavior is purposely left + undefined, since different + data planes have different + capabilities. However, it + is *recommended* that implementations + should match against the + first value of the param + if the data plane supports + it, as this behavior is + expected in other load balancing + contexts outside of the + Gateway API. \n Users SHOULD + NOT route traffic based + on repeated query params + to guard themselves against + potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies + how to match against the + value of the query parameter. + \n Support: Extended (Exact) + \n Support: Implementation-specific + (RegularExpression) \n Since + RegularExpression QueryParamMatchType + has Implementation-specific + conformance, implementations + can support POSIX, PCRE + or any other dialects of + regular expressions. Please + read the implementation's + documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -3574,10 +3841,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce + this config. If omitted, the config will be + enforced for all requests. If present, all + conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -3595,9 +3863,13 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be + applied to the content fetched from + the authorization JSON, for comparison + with "value". Possible values are: "eq" + (equal to), "neq" (not equal to), "incl" + (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -3610,15 +3882,18 @@ spec: of pattern expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for + the comparison with the content fetched + from the authorization JSON. If used + with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -3629,10 +3904,18 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector + to fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables + that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3649,9 +3932,11 @@ spec: = / = / = / = /// matches that of any node on which - a pod of the set of pods is running + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -423,24 +466,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -453,44 +500,51 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -503,29 +557,33 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey @@ -538,16 +596,18 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -566,25 +626,30 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array @@ -596,45 +661,53 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array @@ -646,37 +719,42 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: @@ -685,22 +763,23 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -711,24 +790,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -741,44 +824,51 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -791,29 +881,33 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey @@ -827,21 +921,20 @@ spec: anyOf: - type: integer - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" limitador pods - are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". + description: An eviction is allowed if at most "maxUnavailable" + limitador pods are unavailable after the eviction, i.e. + even in absence of the evicted pod. For example, one can + prevent all voluntary evictions by specifying 0. This is + a mutually exclusive setting with "minAvailable". x-kubernetes-int-or-string: true minAvailable: anyOf: - type: integer - type: string - description: |- - An eviction is allowed if at least "minAvailable" limitador pods will - still be available after the eviction, i.e. even in the absence of - the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". + description: An eviction is allowed if at least "minAvailable" + limitador pods will still be available after the eviction, + i.e. even in the absence of the evicted pod. So for example + you can prevent all voluntary evictions by specifying "100%". x-kubernetes-int-or-string: true type: object replicas: @@ -851,24 +944,19 @@ spec: requirements. properties: claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - - This field is immutable. It can only be set for containers. + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. type: string required: - name @@ -884,9 +972,8 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -895,11 +982,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object storage: @@ -918,18 +1005,17 @@ spec: persistentVolumeClaim: properties: resources: - description: |- - Resources represents the minimum resources the volume should have. - Ignored when VolumeName field is set + description: Resources represents the minimum resources + the volume should have. Ignored when VolumeName + field is set properties: requests: anyOf: - type: integer - type: string - description: |- - Storage Resource requests to be used on the PersistentVolumeClaim. - To learn more about resource requests see: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Storage Resource requests to be + used on the PersistentVolumeClaim. To learn + more about resource requests see: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true required: @@ -946,15 +1032,14 @@ spec: redis: properties: configSecretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string type: object x-kubernetes-map-type: atomic @@ -962,15 +1047,14 @@ spec: redis-cached: properties: configSecretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string type: object x-kubernetes-map-type: atomic @@ -1001,47 +1085,46 @@ spec: description: KuadrantStatus defines the observed state of Kuadrant properties: conditions: - description: |- - Represents the observations of a foo's current state. - Known .status.conditions.type are: "Available" + description: 'Represents the observations of a foo''s current state. + Known .status.conditions.type are: "Available"' items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1055,12 +1138,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml index 76884d89f..4a3d4f3fa 100644 --- a/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml +++ b/bundle/manifests/kuadrant.io_ratelimitpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: app: kuadrant @@ -48,19 +48,14 @@ spec: a Gateway API network properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -68,25 +63,24 @@ spec: description: RateLimitPolicySpec defines the desired state of RateLimitPolicy properties: defaults: - description: |- - Defaults define explicit default values for this policy and for policies inheriting this policy. - Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec. + description: Defaults define explicit default values for this policy + and for policies inheriting this policy. Defaults are mutually exclusive + with implicit defaults defined by RateLimitPolicyCommonSpec. properties: limits: additionalProperties: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the + well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -106,9 +100,8 @@ spec: a given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible + values are: "second", "minute", "hour", "day"' enum: - second - minute @@ -125,102 +118,92 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. Multiple + used to match requests to a given action. Multiple match types are ANDed together, i.e. the match - will\nevaluate to true only if all conditions - are satisfied.\n\n\nFor example, the match below - will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` - header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: - \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -241,13 +224,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" enum: - GET - HEAD @@ -263,20 +243,16 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -338,60 +314,55 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -418,18 +389,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route + selectors must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to + the content fetched from the selector Possible values + are: "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -440,9 +410,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well + known selectors TODO Document properly "Well-known + selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -466,16 +436,15 @@ spec: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the well + known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -495,9 +464,8 @@ spec: given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible values + are: "second", "minute", "hour", "day"' enum: - second - minute @@ -514,101 +482,91 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label must + appear by itself as the first label. \n Hostname can + be \"precise\" which is a domain name without the + terminating dot of a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain name prefixed with + a single wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters or '-', + and must start and end with an alphanumeric character. + No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given\naction. Multiple match - types are ANDed together, i.e. the match will\nevaluate - to true only if all conditions are satisfied.\n\n\nFor + to match requests to a given action. Multiple match + types are ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it contains - the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it contains + the `version: v1` header: \n ``` match: \n path: value: + \"/foo\" headers: - name: \"version\" value \"v1\" + \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request header + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + description: HTTPHeaderMatch describes how to + select a HTTP route by matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the HTTP + Header to be matched. Name matching MUST + be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the + case-insensitivity of header names, \"foo\" + and \"Foo\" are considered equivalent. \n + When a header is repeated in an HTTP request, + it is implementation-specific behavior as + to how this is represented. Generally, proxies + should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n Support: + Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -629,13 +587,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched only + if the request has the specified method. \n Support: + Extended" enum: - GET - HEAD @@ -651,20 +606,15 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a default + prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -725,60 +675,53 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes how + to select a HTTP route by matching HTTP query + parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of the HTTP + query param to be matched. This must be + an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with an + equivalent query param name MUST be ignored. + \n If a query param is repeated in an HTTP + request, the behavior is purposely left + undefined, since different data planes have + different capabilities. However, it is *recommended* + that implementations should match against + the first value of the param if the data + plane supports it, as this behavior is expected + in other load balancing contexts outside + of the Gateway API. \n Users SHOULD NOT + route traffic based on repeated query params + to guard themselves against potential differences + in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -805,18 +748,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route selectors + must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to the + content fetched from the selector Possible values are: + "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -827,9 +769,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well known + selectors TODO Document properly "Well-known selector" + https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -848,25 +790,24 @@ spec: maxProperties: 14 type: object overrides: - description: |- - Overrides define override values for this policy and for policies inheriting this policy. - Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. + description: Overrides define override values for this policy and + for policies inheriting this policy. Overrides are mutually exclusive + with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. properties: limits: additionalProperties: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the + well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -886,9 +827,8 @@ spec: a given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible + values are: "second", "minute", "hour", "day"' enum: - second - minute @@ -905,102 +845,92 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. Multiple + used to match requests to a given action. Multiple match types are ANDed together, i.e. the match - will\nevaluate to true only if all conditions - are satisfied.\n\n\nFor example, the match below - will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` - header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: - \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -1021,13 +951,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" enum: - GET - HEAD @@ -1043,20 +970,16 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -1118,60 +1041,55 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -1198,18 +1116,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route + selectors must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to + the content fetched from the selector Possible values + are: "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -1220,9 +1137,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well + known selectors TODO Document properly "Well-known + selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -1261,11 +1178,10 @@ spec: minLength: 1 type: string namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1301,47 +1217,46 @@ spec: description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: conditions: - description: |- - Represents the observations of a foo's current state. - Known .status.conditions.type are: "Available" + description: 'Represents the observations of a foo''s current state. + Known .status.conditions.type are: "Available"' items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1355,12 +1270,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/bundle/manifests/kuadrant.io_tlspolicies.yaml b/bundle/manifests/kuadrant.io_tlspolicies.yaml index 4968eb806..1eeeec992 100644 --- a/bundle/manifests/kuadrant.io_tlspolicies.yaml +++ b/bundle/manifests/kuadrant.io_tlspolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null labels: app: kuadrant @@ -42,19 +42,14 @@ spec: description: TLSPolicy is the Schema for the tlspolicies API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -62,30 +57,26 @@ spec: description: TLSPolicySpec defines the desired state of TLSPolicy properties: commonName: - description: |- - CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to avoid - generating invalid CSRs. - This value is ignored by TLS clients when any subject alt name is set. - This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' type: string duration: - description: |- - The requested 'duration' (i.e. lifetime) of the Certificate. This option - may be ignored/overridden by some issuer types. If unset this defaults to - 90 days. Certificate will be renewed either 2/3 through its duration or - `renewBefore` period before its expiry, whichever is later. Minimum - accepted duration is 1 hour. Value must be in units accepted by Go - time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string issuerRef: - description: |- - IssuerRef is a reference to the issuer for this certificate. + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will be used. - If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the - provided name will be used. - The `name` field in this stanza is required at all times. + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. properties: group: description: Group of the resource being referred to. @@ -103,81 +94,75 @@ spec: description: Options to control private keys used for the Certificate. properties: algorithm: - description: |- - Algorithm is the private key algorithm of the corresponding private key - for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` - If `algorithm` is specified and `size` is not provided, - key size of 256 will be used for `ECDSA` key algorithm and - key size of 2048 will be used for `RSA` key algorithm. - key size is ignored when using the `Ed25519` key algorithm. + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: |- - The private key cryptography standards (PKCS) encoding for this - certificate's private key to be encoded in. - If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 - and PKCS#8, respectively. - Defaults to `PKCS1` if not specified. + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: |- - RotationPolicy controls how private keys should be regenerated when a - re-issuance is being processed. - If set to Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists but it - does not have the correct algorithm or size, a warning will be raised - to await user intervention. - If set to Always, a private key matching the specified requirements - will be generated whenever a re-issuance occurs. - Default is 'Never' for backward compatibility. + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. enum: - Never - Always type: string size: - description: |- - Size is the key bit size of the corresponding private key for this certificate. - If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, - and will default to `2048` if not specified. - If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, - and will default to `256` if not specified. - If `algorithm` is set to `Ed25519`, Size is ignored. + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. type: integer type: object renewBefore: - description: |- - How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of the - issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration - https://golang.org/pkg/time/#ParseDuration + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string revisionHistoryLimit: - description: |- - RevisionHistoryLimit is the maximum number of CertificateRequest revisions - that are maintained in the Certificate's history. Each revision represents - a single `CertificateRequest` created by this Certificate, either when it - was created, renewed, or Spec was changed. Revisions will be removed by - oldest first if the number of revisions exceeds this number. If set, - revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), - revisions will not be garbage collected. Default value is `nil`. + description: RevisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. format: int32 type: integer targetRef: - description: |- - PolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. + description: PolicyTargetReference identifies an API object to apply + a direct or inherited policy to. This should be used as part of + Policy resources that can target Gateway API resources. For more + information on how this policy attachment model works, and a sample + Policy resource, refer to the policy attachment documentation for + Gateway API. properties: group: description: Group is the group of the target resource. @@ -196,11 +181,10 @@ spec: minLength: 1 type: string namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -211,41 +195,19 @@ spec: - name type: object usages: - description: |- - Usages is the set of x509 usages that are requested for the certificate. - Defaults to `digital signature` and `key encipherment` if not specified. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + if not specified. items: - description: |- - KeyUsage specifies valid usage contexts for keys. - See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - - - Valid KeyUsage values are as follows: - "signing", - "digital signature", - "content commitment", - "key encipherment", - "key agreement", - "data encipherment", - "cert sign", - "crl sign", - "encipher only", - "decipher only", - "any", - "server auth", - "client auth", - "code signing", - "email protection", - "s/mime", - "ipsec end system", - "ipsec tunnel", - "ipsec user", - "timestamping", - "ocsp signing", - "microsoft sgc", - "netscape sgc" + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" enum: - signing - digital signature @@ -280,50 +242,47 @@ spec: description: TLSPolicyStatus defines the observed state of TLSPolicy properties: conditions: - description: |- - conditions are any conditions associated with the policy - - - If configuring the policy fails, the "Failed" condition will be set with a - reason and message describing the cause of the failure. + description: "conditions are any conditions associated with the policy + \n If configuring the policy fails, the \"Failed\" condition will + be set with a reason and message describing the cause of the failure." items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -337,12 +296,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -355,11 +313,10 @@ spec: type: object type: array observedGeneration: - description: |- - observedGeneration is the most recently observed generation of the - TLSPolicy. When the TLSPolicy is updated, the controller updates the - corresponding configuration. If an update fails, that failure is - recorded in the status condition + description: observedGeneration is the most recently observed generation + of the TLSPolicy. When the TLSPolicy is updated, the controller + updates the corresponding configuration. If an update fails, that + failure is recorded in the status condition format: int64 type: integer type: object diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 3f116c11b..a12ac97b3 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -4,7 +4,7 @@ annotations: operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: kuadrant-operator - operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channels.v1: preview operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 diff --git a/bundle/metadata/dependencies.yaml b/bundle/metadata/dependencies.yaml index d8ccdcad1..afb9b30c0 100644 --- a/bundle/metadata/dependencies.yaml +++ b/bundle/metadata/dependencies.yaml @@ -2,15 +2,15 @@ dependencies: - type: olm.package value: packageName: authorino-operator - version: "0.0.0" + version: "0.11.1" - type: olm.package value: packageName: limitador-operator - version: "0.0.0" + version: "0.8.0-rc.1" - type: olm.package value: packageName: dns-operator - version: "0.0.0" + version: "0.2.0-rc1" - type: olm.package value: packageName: cert-manager diff --git a/config/crd/bases/kuadrant.io_authpolicies.yaml b/config/crd/bases/kuadrant.io_authpolicies.yaml index fc4dd9104..7498f6ef7 100644 --- a/config/crd/bases/kuadrant.io_authpolicies.yaml +++ b/config/crd/bases/kuadrant.io_authpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 labels: gateway.networking.k8s.io/policy: inherited name: authpolicies.kuadrant.io @@ -47,42 +47,37 @@ spec: workloads in a Gateway API network properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: |- - RouteSelectors - implicit default validation - RouteSelectors - explicit default validation - RouteSelectors - explicit overrides validation + description: RouteSelectors - implicit default validation RouteSelectors + - explicit default validation RouteSelectors - explicit overrides validation Mutual Exclusivity Validation properties: defaults: - description: |- - Defaults define explicit default values for this policy and for policies inheriting this policy. - Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec. + description: Defaults define explicit default values for this policy + and for policies inheriting this policy. Defaults are mutually exclusive + with implicit defaults defined by AuthPolicyCommonSpec. properties: patterns: additionalProperties: items: properties: operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied to the + content fetched from the authorization JSON, for comparison + with "value". Possible values are: "eq" (equal to), + "neq" (not equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" (regex)' enum: - eq - neq @@ -91,15 +86,17 @@ spec: - matches type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from the authorization + JSON (e.g. 'request.method'). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson can be + used. Authorino custom JSON path modifiers are also + supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization JSON. + If used with the "matches" operator, the value must + compile to a valid Golang regex. type: string type: object type: array @@ -107,107 +104,93 @@ spec: conditions and in pattern-matching authorization policy rules. type: object routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the external authorization service. - At least one selected HTTPRoute rule must match to trigger the AuthPolicy. - If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes. + description: Top-level route selectors. If present, the elements + will be used to select HTTPRoute rules that, when activated, + trigger the external authorization service. At least one selected + HTTPRoute rule must match to trigger the AuthPolicy. If no route + selectors are specified, the AuthPolicy will be enforced at + all requests to the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching an + HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that should + match against the HTTP Host header to select a HTTPRoute + to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain name + of a network host. This matches the RFC 1123 definition + of a hostname with 2 notable exceptions: \n 1. IPs are + not allowed. 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear by itself + as the first label. \n Hostname can be \"precise\" which + is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which + is a domain name prefixed with a single wildcard label + (e.g. `*.example.com`). \n Note that as per RFC1035 + and RFC1123, a *label* must consist of lower case alphanumeric + characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given\naction. Multiple match - types are ANDed together, i.e. the match will\nevaluate - to true only if all conditions are satisfied.\n\n\nFor + to match requests to a given action. Multiple match + types are ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only - if its path\nstarts with `/foo` AND it contains the - `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + if its path starts with `/foo` AND it contains the `version: + v1` header: \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request header + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with an + equivalent name MUST be considered for a match. + Subsequent entries with an equivalent header + name MUST be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated in + an HTTP request, it is implementation-specific + behavior as to how this is represented. Generally, + proxies should follow the guidance from the + RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with + special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match against + the value of the header. \n Support: Core + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -228,13 +211,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched only + if the request has the specified method. \n Support: + Extended" enum: - GET - HEAD @@ -250,20 +230,15 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix + match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -323,60 +298,51 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes how to + select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of the HTTP query + param to be matched. This must be an exact + string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry with + an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + query param name MUST be ignored. \n If a + query param is repeated in an HTTP request, + the behavior is purposely left undefined, + since different data planes have different + capabilities. However, it is *recommended* + that implementations should match against + the first value of the param if the data plane + supports it, as this behavior is expected + in other load balancing contexts outside of + the Gateway API. \n Users SHOULD NOT route + traffic based on repeated query params to + guard themselves against potential differences + in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -403,9 +369,8 @@ spec: maxItems: 15 type: array rules: - description: |- - The auth rules of the policy. - See Authorino's AuthConfig CRD for more details. + description: The auth rules of the policy. See Authorino's AuthConfig + CRD for more details. properties: authentication: additionalProperties: @@ -419,9 +384,10 @@ spec: properties: allNamespaces: default: false - description: |- - Whether Authorino should look for API key secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for API + key secrets in all namespaces or only in the same + namespace as the AuthConfig. Enabling this option + in namespaced Authorino instances has no effect. type: boolean selector: description: Label selector used by Authorino to @@ -433,24 +399,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -463,10 +433,12 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -474,20 +446,26 @@ spec: - selector type: object cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -503,9 +481,11 @@ spec: - key type: object credentials: - description: |- - Defines where credentials are required to be passed in the request for authentication based on this config. - If omitted, it defaults to credentials passed in the HTTP Authorization header and the "Bearer" prefix prepended to the secret credential value. + description: Defines where credentials are required + to be passed in the request for authentication based + on this config. If omitted, it defaults to credentials + passed in the HTTP Authorization header and the "Bearer" + prefix prepended to the secret credential value. properties: authorizationHeader: properties: @@ -538,45 +518,58 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Set default property values (claims) for the resolved identity object, that are set before appending the object to - the authorization JSON. If the property is already present in the resolved identity object, the default value is ignored. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). + description: Set default property values (claims) for + the resolved identity object, that are set before + appending the object to the authorization JSON. If + the property is already present in the resolved identity + object, the default value is ignored. It requires + the resolved identity object to always be a JSON object. + Do not use this option with identity objects of other + JSON types (array, string, etc). type: object jwt: description: Authentication based on JWT tokens. properties: issuerUrl: - description: |- - URL of the issuer of the JWT. - If `jwksUrl` is omitted, Authorino will append the path to the OpenID Connect Well-Known Discovery endpoint - (i.e. "/.well-known/openid-configuration") to this URL, to discover the OIDC configuration where to obtain - the "jkws_uri" claim from. - The value must coincide with the value of the "iss" (issuer) claim of the discovered OpenID Connect configuration. + description: URL of the issuer of the JWT. If `jwksUrl` + is omitted, Authorino will append the path to + the OpenID Connect Well-Known Discovery endpoint + (i.e. "/.well-known/openid-configuration") to + this URL, to discover the OIDC configuration where + to obtain the "jkws_uri" claim from. The value + must coincide with the value of the "iss" (issuer) + claim of the discovered OpenID Connect configuration. type: string ttl: - description: |- - Decides how long to wait before refreshing the JWKS (in seconds). - If omitted, Authorino will never refresh the JWKS. + description: Decides how long to wait before refreshing + the JWKS (in seconds). If omitted, Authorino will + never refresh the JWKS. type: integer type: object kubernetesTokenReview: description: Authentication by Kubernetes token review. properties: audiences: - description: |- - The list of audiences (scopes) that must be claimed in a Kubernetes authentication token supplied in the request, and reviewed by Authorino. - If omitted, Authorino will review tokens expecting the host name of the requested protected service amongst the audiences. + description: The list of audiences (scopes) that + must be claimed in a Kubernetes authentication + token supplied in the request, and reviewed by + Authorino. If omitted, Authorino will review tokens + expecting the host name of the requested protected + service amongst the audiences. items: type: string type: array @@ -595,10 +588,10 @@ spec: to the OAuth2 server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic @@ -607,8 +600,7 @@ spec: endpoint. type: string tokenTypeHint: - description: |- - The token type hint for the token introspection. + description: The token type hint for the token introspection. If omitted, it defaults to "access_token". type: string required: @@ -619,144 +611,158 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Overrides the resolved identity object by setting the additional properties (claims) specified in this config, - before appending the object to the authorization JSON. - It requires the resolved identity object to always be a JSON object. - Do not use this option with identity objects of other JSON types (array, string, etc). + description: Overrides the resolved identity object + by setting the additional properties (claims) specified + in this config, before appending the object to the + authorization JSON. It requires the resolved identity + object to always be a JSON object. Do not use this + option with identity objects of other JSON types (array, + string, etc). type: object plain: - description: |- - Identity object extracted from the context. - Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. + description: Identity object extracted from the context. + Use this method when authentication is performed beforehand + by a proxy and the resulting object passed to Authorino + as JSON in the auth request. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch content + from the authorization JSON (e.g. ''request.method'') + or a string template with variables that resolve + to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom modifiers + are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode and @strip.' type: string required: - selector type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -777,13 +783,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -799,20 +802,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -874,60 +874,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -954,10 +955,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -975,9 +977,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -990,57 +995,66 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array x509: - description: |- - Authentication based on client X.509 certificates. - The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. + description: Authentication based on client X.509 certificates. + The certificates presented by the clients must be + signed by a trusted CA whose certificates are stored + in Kubernetes secrets. properties: allNamespaces: default: false - description: |- - Whether Authorino should look for TLS secrets in all namespaces or only in the same namespace as the AuthConfig. - Enabling this option in namespaced Authorino instances has no effect. + description: Whether Authorino should look for TLS + secrets in all namespaces or only in the same + namespace as the AuthConfig. Enabling this option + in namespaced Authorino instances has no effect. type: boolean selector: - description: |- - Label selector used by Authorino to match secrets from the cluster storing trusted CA certificates to validate - clients trying to authenticate to this service + description: Label selector used by Authorino to + match secrets from the cluster storing trusted + CA certificates to validate clients trying to + authenticate to this service properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -1053,10 +1067,12 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1064,29 +1080,35 @@ spec: - selector type: object type: object - description: |- - Authentication configs. - At least one config MUST evaluate to a valid identity object for the auth request to be successful. + description: Authentication configs. At least one config MUST + evaluate to a valid identity object for the auth request + to be successful. maxProperties: 10 type: object authorization: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1112,35 +1134,47 @@ spec: type: string type: array resourceAttributes: - description: |- - Use resourceAttributes to check permissions on Kubernetes resources. - If omitted, it performs a non-resource SubjectAccessReview, with verb and path inferred from the request. + description: Use resourceAttributes to check permissions + on Kubernetes resources. If omitted, it performs + a non-resource SubjectAccessReview, with verb + and path inferred from the request. properties: group: - description: |- - API group of the resource. - Use '*' for all API groups. + description: API group of the resource. Use + '*' for all API groups. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object name: - description: |- - Resource name - Omit it to check for authorization on all resources of the specified kind. + description: Resource name Omit it to check + for authorization on all resources of the + specified kind. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1151,25 +1185,36 @@ spec: permissions on the resource. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object resource: - description: |- - Resource kind - Use '*' for all resource kinds. + description: Resource kind Use '*' for all resource + kinds. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1179,25 +1224,36 @@ spec: description: Subresource kind properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object verb: - description: |- - Verb to check for authorization on the resource. - Use '*' for all verbs. + description: Verb to check for authorization + on the resource. Use '*' for all verbs. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1205,15 +1261,21 @@ spec: type: object type: object user: - description: |- - User to check for authorization in the Kubernetes RBAC. - Omit it to check for group authorization only. + description: User to check for authorization in + the Kubernetes RBAC. Omit it to check for group + authorization only. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1230,29 +1292,41 @@ spec: properties: allValues: default: false - description: |- - Returns the value of all Rego rules in the virtual document. Values can be read in subsequent evaluators/phases of the Auth Pipeline. - Otherwise, only the default `allow` rule will be exposed. - Returning all Rego rules can affect performance of OPA policies during reconciliation (policy precompile) and at runtime. + description: Returns the value of all Rego rules + in the virtual document. Values can be read in + subsequent evaluators/phases of the Auth Pipeline. + Otherwise, only the default `allow` rule will + be exposed. Returning all Rego rules can affect + performance of OPA policies during reconciliation + (policy precompile) and at runtime. type: boolean externalPolicy: - description: |- - Settings for fetching the OPA policy from an external registry. - Use it alternatively to 'rego'. - For the configurations of the HTTP request, the following options are not implemented: 'method', 'body', 'bodyParameters', - 'contentType', 'headers', 'oauth2'. Use it only with: 'url', 'sharedSecret', 'credentials'. + description: 'Settings for fetching the OPA policy + from an external registry. Use it alternatively + to ''rego''. For the configurations of the HTTP + request, the following options are not implemented: + ''method'', ''body'', ''bodyParameters'', ''contentType'', + ''headers'', ''oauth2''. Use it only with: ''url'', + ''sharedSecret'', ''credentials''.' properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, + set parameters as query string in the 'endpoint' + (placeholders can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1262,33 +1336,45 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in + the body of the HTTP request. Superseded by + 'body'; use either one or the other. Use it + with method=POST; for GET requests, set parameters + as query string in the 'endpoint' (placeholders + can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. + Shapes how 'bodyParameters' are encoded. Use + it with method=POST; for GET requests, Content-Type + is automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials + will be passed in the request to the service. + If omitted, it defaults to client credentials + passed in the HTTP Authorization header and + the "Bearer" prefix expected prepended to + the secret value. properties: authorizationHeader: properties: @@ -1321,10 +1407,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or a + string template with variables that + resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1334,9 +1426,11 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request + to the service. Accepted values: GET (default), + POST. When the request method is POST, the + authorization JSON is passed in the body of + the request.' enum: - GET - POST @@ -1354,9 +1448,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token + until expired. Set it to false to force + fetch the token at every authorization + request regardless of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -1402,9 +1497,10 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. + description: Reference to a Secret key whose + value will be passed by Authorino in the request. + The HTTP service can use the shared secret + to authenticate the origin of the request. Ignored if used together with oauth2. properties: key: @@ -1425,20 +1521,23 @@ spec: the source. type: integer url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. + The value can include variable placeholders + in the format "{selector}", where "selector" + is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: - url type: object rego: - description: |- - Authorization policy as a Rego language document. - The Rego document must include the "allow" condition, set by Authorino to "false" by default (i.e. requests are unauthorized unless changed). - The Rego document must NOT include the "package" declaration in line 1. + description: Authorization policy as a Rego language + document. The Rego document must include the "allow" + condition, set by Authorino to "false" by default + (i.e. requests are unauthorized unless changed). + The Rego document must NOT include the "package" + declaration in line 1. type: string type: object patternMatching: @@ -1462,9 +1561,13 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not + equal to), "incl" (includes; for arrays), + "excl" (excludes; for arrays), "matches" + (regex)' enum: - eq - neq @@ -1477,15 +1580,18 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the + comparison with the content fetched from + the authorization JSON. If used with the + "matches" operator, the value must compile + to a valid Golang regex. type: string type: object type: array @@ -1494,113 +1600,115 @@ spec: type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -1621,13 +1729,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -1643,20 +1748,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -1718,60 +1820,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -1814,10 +1917,16 @@ spec: on which to execute the check. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1830,10 +1939,16 @@ spec: kind: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1842,10 +1957,16 @@ spec: name: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1876,10 +1997,16 @@ spec: kind: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1888,10 +2015,16 @@ spec: name: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1902,10 +2035,11 @@ spec: - endpoint type: object when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -1923,9 +2057,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -1938,42 +2075,49 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array type: object - description: |- - Authorization policies. - All policies MUST evaluate to "allowed = true" for the auth request be successful. + description: Authorization policies. All policies MUST evaluate + to "allowed = true" for the auth request be successful. maxProperties: 10 type: object callbacks: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -1992,16 +2136,23 @@ spec: description: Settings of the external HTTP request properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2011,33 +2162,43 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2070,10 +2231,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2083,9 +2250,10 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' enum: - GET - POST @@ -2103,9 +2271,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2149,10 +2318,11 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. properties: key: description: The key of the secret to select @@ -2167,10 +2337,11 @@ spec: - name type: object url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: @@ -2183,113 +2354,115 @@ spec: type: boolean priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2310,13 +2483,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -2332,20 +2502,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -2407,60 +2574,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2487,10 +2655,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -2508,9 +2677,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -2523,44 +2695,52 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array required: - http type: object - description: |- - Callback functions. - Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config. + description: Callback functions. Authorino sends callbacks + at the end of the auth pipeline to the endpoints specified + in this config. maxProperties: 10 type: object metadata: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved object + returned when applying this config. Omit it to avoid + caching objects for this config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry in the + cache. The resolved key must be unique within + the scope of this particular config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2580,16 +2760,23 @@ spec: request properties: body: - description: |- - Raw body of the HTTP request. - Supersedes 'bodyParameters'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Raw body of the HTTP request. Supersedes + 'bodyParameters'; use either one or the other. + Use it with method=POST; for GET requests, set + parameters as query string in the 'endpoint' (placeholders + can be used). properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template with + variables that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern supported + by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" ",pos:0}, + @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2599,33 +2786,43 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value x-kubernetes-preserve-unknown-fields: true type: object - description: |- - Custom parameters to encode in the body of the HTTP request. - Superseded by 'body'; use either one or the other. - Use it with method=POST; for GET requests, set parameters as query string in the 'endpoint' (placeholders can be used). + description: Custom parameters to encode in the + body of the HTTP request. Superseded by 'body'; + use either one or the other. Use it with method=POST; + for GET requests, set parameters as query string + in the 'endpoint' (placeholders can be used). type: object contentType: default: application/x-www-form-urlencoded - description: |- - Content-Type of the request body. Shapes how 'bodyParameters' are encoded. - Use it with method=POST; for GET requests, Content-Type is automatically set to 'text/plain'. + description: Content-Type of the request body. Shapes + how 'bodyParameters' are encoded. Use it with + method=POST; for GET requests, Content-Type is + automatically set to 'text/plain'. enum: - application/x-www-form-urlencoded - application/json type: string credentials: - description: |- - Defines where client credentials will be passed in the request to the service. - If omitted, it defaults to client credentials passed in the HTTP Authorization header and the "Bearer" prefix expected prepended to the secret value. + description: Defines where client credentials will + be passed in the request to the service. If omitted, + it defaults to client credentials passed in the + HTTP Authorization header and the "Bearer" prefix + expected prepended to the secret value. properties: authorizationHeader: properties: @@ -2658,10 +2855,16 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). Any + pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -2671,9 +2874,10 @@ spec: type: object method: default: GET - description: |- - HTTP verb used in the request to the service. Accepted values: GET (default), POST. - When the request method is POST, the authorization JSON is passed in the body of the request. + description: 'HTTP verb used in the request to the + service. Accepted values: GET (default), POST. + When the request method is POST, the authorization + JSON is passed in the body of the request.' enum: - GET - POST @@ -2691,9 +2895,10 @@ spec: properties: cache: default: true - description: |- - Caches and reuses the token until expired. - Set it to false to force fetch the token at every authorization request regardless of expiration. + description: Caches and reuses the token until + expired. Set it to false to force fetch the + token at every authorization request regardless + of expiration. type: boolean clientId: description: OAuth2 Client ID. @@ -2737,10 +2942,11 @@ spec: - tokenUrl type: object sharedSecretRef: - description: |- - Reference to a Secret key whose value will be passed by Authorino in the request. - The HTTP service can use the shared secret to authenticate the origin of the request. - Ignored if used together with oauth2. + description: Reference to a Secret key whose value + will be passed by Authorino in the request. The + HTTP service can use the shared secret to authenticate + the origin of the request. Ignored if used together + with oauth2. properties: key: description: The key of the secret to select @@ -2755,10 +2961,11 @@ spec: - name type: object url: - description: |- - Endpoint URL of the HTTP service. - The value can include variable placeholders in the format "{selector}", where "selector" is any pattern supported - by https://pkg.go.dev/github.com/tidwall/gjson and selects value from the authorization JSON. + description: Endpoint URL of the HTTP service. The + value can include variable placeholders in the + format "{selector}", where "selector" is any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={request.path} type: string required: @@ -2771,113 +2978,115 @@ spec: type: boolean priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All configs + in the same priority group are evaluated concurrently; + consecutive priority groups are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute rules + that, when activated, trigger the auth rule. At least + one selected HTTPRoute rule must match to trigger + the auth rule. If no route selectors are specified, + the auth rule will be evaluated at all requests to + the protected routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request + description: Hostnames defines a set of hostname + that should match against the HTTP Host header + to select a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified + domain name of a network host. This matches + the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard + label (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain name + without the terminating dot of a network host + (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* + must consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. + description: Matches define conditions used for + matching the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. + used to match requests to a given action. Multiple match types are ANDed together, i.e. - the match will\nevaluate to true only if all - conditions are satisfied.\n\n\nFor example, + the match will evaluate to true only if all + conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it - contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it + contains the `version: v1` header: \n ``` + match: \n path: value: \"/foo\" headers: - + name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values + are ANDed together, meaning, a request + must match all the specified headers to + select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by matching + HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of + the HTTP Header to be matched. Name + matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry + with an equivalent name MUST be + considered for a match. Subsequent + entries with an equivalent header + name MUST be ignored. Due to the + case-insensitivity of header names, + \"foo\" and \"Foo\" are considered + equivalent. \n When a header is + repeated in an HTTP request, it + is implementation-specific behavior + as to how this is represented. Generally, + proxies should follow the guidance + from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling for + \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to + match against the value of the header. + \n Support: Core (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType + has implementation-specific conformance, + implementations can support POSIX, + PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -2898,13 +3107,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method + matcher. When specified, this route will + be matched only if the request has the + specified method. \n Support: Extended" enum: - GET - HEAD @@ -2920,20 +3126,17 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request + path matcher. If this field is not specified, + a default prefix match on the "/" path + is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to + match against the path Value. \n Support: + Core (Exact, PathPrefix) \n Support: + Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -2995,60 +3198,61 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP + query parameter matchers. Multiple match + values are ANDed together, meaning, a + request must match all the specified query + parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching + HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of + the HTTP query param to be matched. + This must be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first + entry with an equivalent name MUST + be considered for a match. Subsequent + entries with an equivalent query + param name MUST be ignored. \n If + a query param is repeated in an + HTTP request, the behavior is purposely + left undefined, since different + data planes have different capabilities. + However, it is *recommended* that + implementations should match against + the first value of the param if + the data plane supports it, as this + behavior is expected in other load + balancing contexts outside of the + Gateway API. \n Users SHOULD NOT + route traffic based on repeated + query params to guard themselves + against potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to + match against the value of the query + parameter. \n Support: Extended + (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can + support POSIX, PCRE or any other + dialects of regular expressions. + Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -3084,17 +3288,18 @@ spec: to the resource registration API of the UMA server. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic endpoint: - description: |- - The endpoint of the UMA server. - The value must coincide with the "issuer" claim of the UMA config discovered from the well-known uma configuration endpoint. + description: The endpoint of the UMA server. The + value must coincide with the "issuer" claim of + the UMA config discovered from the well-known + uma configuration endpoint. type: string required: - credentialsRef @@ -3113,10 +3318,11 @@ spec: - identitySource type: object when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce this + config. If omitted, the config will be enforced for + all requests. If present, all conditions must match + for the config to be enforced; otherwise, the config + will be skipped. items: properties: all: @@ -3134,9 +3340,12 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be applied + to the content fetched from the authorization + JSON, for comparison with "value". Possible + values are: "eq" (equal to), "neq" (not equal + to), "incl" (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -3149,52 +3358,64 @@ spec: expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content from + the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path modifiers + are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for the comparison + with the content fetched from the authorization + JSON. If used with the "matches" operator, the + value must compile to a valid Golang regex. type: string type: object type: array type: object - description: |- - Metadata sources. - Authorino fetches auth metadata as JSON from sources specified in this config. + description: Metadata sources. Authorino fetches auth metadata + as JSON from sources specified in this config. maxProperties: 10 type: object response: - description: |- - Response items. - Authorino builds custom responses to the client of the auth request. + description: Response items. Authorino builds custom responses + to the client of the auth request. properties: success: - description: |- - Response items to be included in the auth response when the request is authenticated and authorized. - For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata and/or inject data in the request. + description: Response items to be included in the auth + response when the request is authenticated and authorized. + For integration of Authorino via proxy, the proxy must + use these settings to propagate dynamic metadata and/or + inject data in the request. properties: dynamicMetadata: additionalProperties: properties: cache: - description: |- - Caching options for the resolved object returned when applying this config. - Omit it to avoid caching objects for this config. + description: Caching options for the resolved + object returned when applying this config. + Omit it to avoid caching objects for this + config. properties: key: - description: |- - Key used to store the entry in the cache. - The resolved key must be unique within the scope of this particular config. + description: Key used to store the entry + in the cache. The resolved key must be + unique within the scope of this particular + config. properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to + fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables that + resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3210,18 +3431,27 @@ spec: - key type: object json: - description: |- - JSON object - Specify it as the list of properties of the object, whose values can combine static values and values selected from the authorization JSON. + description: JSON object Specify it as the list + of properties of the object, whose values + can combine static values and values selected + from the authorization JSON. properties: properties: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector + to fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables + that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3232,9 +3462,11 @@ spec: - properties type: object key: - description: |- - The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). - If omitted, it will be set to the name of the response config. + description: The key used to add the custom + response item (name of the HTTP header or + root property of the Dynamic Metadata object). + If omitted, it will be set to the name of + the response config. type: string metrics: default: false @@ -3245,10 +3477,16 @@ spec: description: Plain text content properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector to fetch + content from the authorization JSON (e.g. + ''request.method'') or a string template + with variables that resolve to patterns + (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino custom + modifiers are supported: @extract:{sep:" + ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, + @base64:encode|decode and @strip.' type: string value: description: Static value @@ -3256,115 +3494,134 @@ spec: type: object priority: default: 0 - description: |- - Priority group of the config. - All configs in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. + description: Priority group of the config. All + configs in the same priority group are evaluated + concurrently; consecutive priority groups + are evaluated sequentially. type: integer routeSelectors: - description: |- - Top-level route selectors. - If present, the elements will be used to select HTTPRoute rules that, when activated, trigger the auth rule. - At least one selected HTTPRoute rule must match to trigger the auth rule. - If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes. + description: Top-level route selectors. If present, + the elements will be used to select HTTPRoute + rules that, when activated, trigger the auth + rule. At least one selected HTTPRoute rule + must match to trigger the auth rule. If no + route selectors are specified, the auth rule + will be evaluated at all requests to the protected + routes. items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions + description: RouteSelector defines semantics + for matching an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of + hostname that should match against the + HTTP Host header to select a HTTPRoute + to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully + qualified domain name of a network + host. This matches the RFC 1123 definition + of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label + (`*.`). The wildcard label must appear + by itself as the first label. \n Hostname + can be \"precise\" which is a domain + name without the terminating dot of + a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain + name prefixed with a single wildcard + label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a + *label* must consist of lower case + alphanumeric characters or '-', and + must start and end with an alphanumeric + character. No other punctuation is + allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions + used for matching the rule against incoming + HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used to match requests - to a given\naction. Multiple match + to a given action. Multiple match types are ANDed together, i.e. the - match will\nevaluate to true only - if all conditions are satisfied.\n\n\nFor + match will evaluate to true only if + all conditions are satisfied. \n For example, the match below will match - a HTTP request only if its path\nstarts + a HTTP request only if its path starts with `/foo` AND it contains the `version: - v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- - name: \"version\"\n\t value \"v1\"\n\n\n```" + v1` header: \n ``` match: \n path: + value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP + request header matchers. Multiple + match values are ANDed together, + meaning, a request must match + all the specified headers to select + the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes + how to select a HTTP route by + matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the + name of the HTTP Header + to be matched. Name matching + MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify + equivalent header names, + only the first entry with + an equivalent name MUST + be considered for a match. + Subsequent entries with + an equivalent header name + MUST be ignored. Due to + the case-insensitivity of + header names, \"foo\" and + \"Foo\" are considered equivalent. + \n When a header is repeated + in an HTTP request, it is + implementation-specific + behavior as to how this + is represented. Generally, + proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated + header, with special handling + for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies + how to match against the + value of the header. \n + Support: Core (Exact) \n + Support: Implementation-specific + (RegularExpression) \n Since + RegularExpression HeaderMatchType + has implementation-specific + conformance, implementations + can support POSIX, PCRE + or any other dialects of + regular expressions. Please + read the implementation's + documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -3386,13 +3643,11 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP + method matcher. When specified, + this route will be matched only + if the request has the specified + method. \n Support: Extended" enum: - GET - HEAD @@ -3408,20 +3663,19 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP + request path matcher. If this + field is not specified, a default + prefix match on the "/" path is + provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies + how to match against the path + Value. \n Support: Core (Exact, + PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -3492,60 +3746,73 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies + HTTP query parameter matchers. + Multiple match values are ANDed + together, meaning, a request must + match all the specified query + parameters to select the route. + \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch + describes how to select a HTTP + route by matching HTTP query + parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the + name of the HTTP query param + to be matched. This must + be an exact string match. + (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify + equivalent query param names, + only the first entry with + an equivalent name MUST + be considered for a match. + Subsequent entries with + an equivalent query param + name MUST be ignored. \n + If a query param is repeated + in an HTTP request, the + behavior is purposely left + undefined, since different + data planes have different + capabilities. However, it + is *recommended* that implementations + should match against the + first value of the param + if the data plane supports + it, as this behavior is + expected in other load balancing + contexts outside of the + Gateway API. \n Users SHOULD + NOT route traffic based + on repeated query params + to guard themselves against + potential differences in + the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies + how to match against the + value of the query parameter. + \n Support: Extended (Exact) + \n Support: Implementation-specific + (RegularExpression) \n Since + RegularExpression QueryParamMatchType + has Implementation-specific + conformance, implementations + can support POSIX, PCRE + or any other dialects of + regular expressions. Please + read the implementation's + documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -3573,10 +3840,11 @@ spec: maxItems: 8 type: array when: - description: |- - Conditions for Authorino to enforce this config. - If omitted, the config will be enforced for all requests. - If present, all conditions must match for the config to be enforced; otherwise, the config will be skipped. + description: Conditions for Authorino to enforce + this config. If omitted, the config will be + enforced for all requests. If present, all + conditions must match for the config to be + enforced; otherwise, the config will be skipped. items: properties: all: @@ -3594,9 +3862,13 @@ spec: x-kubernetes-preserve-unknown-fields: true type: array operator: - description: |- - The binary operator to be applied to the content fetched from the authorization JSON, for comparison with "value". - Possible values are: "eq" (equal to), "neq" (not equal to), "incl" (includes; for arrays), "excl" (excludes; for arrays), "matches" (regex) + description: 'The binary operator to be + applied to the content fetched from + the authorization JSON, for comparison + with "value". Possible values are: "eq" + (equal to), "neq" (not equal to), "incl" + (includes; for arrays), "excl" (excludes; + for arrays), "matches" (regex)' enum: - eq - neq @@ -3609,15 +3881,18 @@ spec: of pattern expressions type: string selector: - description: |- - Path selector to fetch content from the authorization JSON (e.g. 'request.method'). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - Authorino custom JSON path modifiers are also supported. + description: Path selector to fetch content + from the authorization JSON (e.g. 'request.method'). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. Authorino custom JSON path + modifiers are also supported. type: string value: - description: |- - The value of reference for the comparison with the content fetched from the authorization JSON. - If used with the "matches" operator, the value must compile to a valid Golang regex. + description: The value of reference for + the comparison with the content fetched + from the authorization JSON. If used + with the "matches" operator, the value + must compile to a valid Golang regex. type: string type: object type: array @@ -3628,10 +3903,18 @@ spec: additionalProperties: properties: selector: - description: |- - Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). - Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. - The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + description: 'Simple path selector + to fetch content from the authorization + JSON (e.g. ''request.method'') or + a string template with variables + that resolve to patterns (e.g. "Hello, + {auth.identity.name}!"). Any pattern + supported by https://pkg.go.dev/github.com/tidwall/gjson + can be used. The following Authorino + custom modifiers are supported: + @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, + @case:upper|lower, @base64:encode|decode + and @strip.' type: string value: description: Static value @@ -3648,9 +3931,11 @@ spec: = / = / = / = /// matches that of any node on which - a pod of the set of pods is running + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -421,24 +464,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -451,44 +498,51 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -501,29 +555,33 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey @@ -536,16 +594,18 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -564,25 +624,30 @@ spec: of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array @@ -594,45 +659,53 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array @@ -644,37 +717,42 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: @@ -683,22 +761,23 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running properties: labelSelector: description: A label query over a set of resources, @@ -709,24 +788,28 @@ spec: selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -739,44 +822,51 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string @@ -789,29 +879,33 @@ spec: matchLabels: additionalProperties: type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey @@ -825,21 +919,20 @@ spec: anyOf: - type: integer - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" limitador pods - are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". + description: An eviction is allowed if at most "maxUnavailable" + limitador pods are unavailable after the eviction, i.e. + even in absence of the evicted pod. For example, one can + prevent all voluntary evictions by specifying 0. This is + a mutually exclusive setting with "minAvailable". x-kubernetes-int-or-string: true minAvailable: anyOf: - type: integer - type: string - description: |- - An eviction is allowed if at least "minAvailable" limitador pods will - still be available after the eviction, i.e. even in the absence of - the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". + description: An eviction is allowed if at least "minAvailable" + limitador pods will still be available after the eviction, + i.e. even in the absence of the evicted pod. So for example + you can prevent all voluntary evictions by specifying "100%". x-kubernetes-int-or-string: true type: object replicas: @@ -849,24 +942,19 @@ spec: requirements. properties: claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - - This field is immutable. It can only be set for containers. + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. type: string required: - name @@ -882,9 +970,8 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -893,11 +980,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object storage: @@ -916,18 +1003,17 @@ spec: persistentVolumeClaim: properties: resources: - description: |- - Resources represents the minimum resources the volume should have. - Ignored when VolumeName field is set + description: Resources represents the minimum resources + the volume should have. Ignored when VolumeName + field is set properties: requests: anyOf: - type: integer - type: string - description: |- - Storage Resource requests to be used on the PersistentVolumeClaim. - To learn more about resource requests see: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + description: 'Storage Resource requests to be + used on the PersistentVolumeClaim. To learn + more about resource requests see: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true required: @@ -944,15 +1030,14 @@ spec: redis: properties: configSecretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string type: object x-kubernetes-map-type: atomic @@ -960,15 +1045,14 @@ spec: redis-cached: properties: configSecretRef: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same + namespace. properties: name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string type: object x-kubernetes-map-type: atomic @@ -999,47 +1083,46 @@ spec: description: KuadrantStatus defines the observed state of Kuadrant properties: conditions: - description: |- - Represents the observations of a foo's current state. - Known .status.conditions.type are: "Available" + description: 'Represents the observations of a foo''s current state. + Known .status.conditions.type are: "Available"' items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1053,12 +1136,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml index 95cebf811..8c88eb5a9 100644 --- a/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml +++ b/config/crd/bases/kuadrant.io_ratelimitpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 labels: gateway.networking.k8s.io/policy: inherited name: ratelimitpolicies.kuadrant.io @@ -47,19 +47,14 @@ spec: a Gateway API network properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -67,25 +62,24 @@ spec: description: RateLimitPolicySpec defines the desired state of RateLimitPolicy properties: defaults: - description: |- - Defaults define explicit default values for this policy and for policies inheriting this policy. - Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec. + description: Defaults define explicit default values for this policy + and for policies inheriting this policy. Defaults are mutually exclusive + with implicit defaults defined by RateLimitPolicyCommonSpec. properties: limits: additionalProperties: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the + well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -105,9 +99,8 @@ spec: a given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible + values are: "second", "minute", "hour", "day"' enum: - second - minute @@ -124,102 +117,92 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. Multiple + used to match requests to a given action. Multiple match types are ANDed together, i.e. the match - will\nevaluate to true only if all conditions - are satisfied.\n\n\nFor example, the match below - will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` - header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: - \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -240,13 +223,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" enum: - GET - HEAD @@ -262,20 +242,16 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -337,60 +313,55 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -417,18 +388,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route + selectors must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to + the content fetched from the selector Possible values + are: "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -439,9 +409,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well + known selectors TODO Document properly "Well-known + selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -465,16 +435,15 @@ spec: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the well + known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -494,9 +463,8 @@ spec: given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible values + are: "second", "minute", "hour", "day"' enum: - second - minute @@ -513,101 +481,91 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label must + appear by itself as the first label. \n Hostname can + be \"precise\" which is a domain name without the + terminating dot of a network host (e.g. \"foo.example.com\") + or \"wildcard\", which is a domain name prefixed with + a single wildcard label (e.g. `*.example.com`). \n + Note that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters or '-', + and must start and end with an alphanumeric character. + No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate used - to match requests to a given\naction. Multiple match - types are ANDed together, i.e. the match will\nevaluate - to true only if all conditions are satisfied.\n\n\nFor + to match requests to a given action. Multiple match + types are ANDed together, i.e. the match will evaluate + to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request - only if its path\nstarts with `/foo` AND it contains - the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t - \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + only if its path starts with `/foo` AND it contains + the `version: v1` header: \n ``` match: \n path: value: + \"/foo\" headers: - name: \"version\" value \"v1\" + \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request header + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + description: HTTPHeaderMatch describes how to + select a HTTP route by matching HTTP request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the HTTP + Header to be matched. Name matching MUST + be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the + case-insensitivity of header names, \"foo\" + and \"Foo\" are considered equivalent. \n + When a header is repeated in an HTTP request, + it is implementation-specific behavior as + to how this is represented. Generally, proxies + should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n Support: + Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of regular + expressions. Please read the implementation's + documentation to determine the supported + dialect." enum: - Exact - RegularExpression @@ -628,13 +586,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched only + if the request has the specified method. \n Support: + Extended" enum: - GET - HEAD @@ -650,20 +605,15 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a default + prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" enum: - Exact - PathPrefix @@ -724,60 +674,53 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified + query parameters to select the route. \n Support: + Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP - query parameters. + description: HTTPQueryParamMatch describes how + to select a HTTP route by matching HTTP query + parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See - https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + description: "Name is the name of the HTTP + query param to be matched. This must be + an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with an + equivalent query param name MUST be ignored. + \n If a query param is repeated in an HTTP + request, the behavior is purposely left + undefined, since different data planes have + different capabilities. However, it is *recommended* + that implementations should match against + the first value of the param if the data + plane supports it, as this behavior is expected + in other load balancing contexts outside + of the Gateway API. \n Users SHOULD NOT + route traffic based on repeated query params + to guard themselves against potential differences + in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -804,18 +747,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route selectors + must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to the + content fetched from the selector Possible values are: + "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -826,9 +768,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well known + selectors TODO Document properly "Well-known selector" + https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -847,25 +789,24 @@ spec: maxProperties: 14 type: object overrides: - description: |- - Overrides define override values for this policy and for policies inheriting this policy. - Overrides are mutually exclusive with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. + description: Overrides define override values for this policy and + for policies inheriting this policy. Overrides are mutually exclusive + with implicit defaults and explicit Defaults defined by RateLimitPolicyCommonSpec. properties: limits: additionalProperties: description: Limit represents a complete rate limit configuration properties: counters: - description: |- - Counters defines additional rate limit counters based on context qualifiers and well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Counters defines additional rate limit counters + based on context qualifiers and well known selectors TODO + Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors items: - description: |- - ContextSelector defines one item from the well known attributes - Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + description: 'ContextSelector defines one item from the + well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) - Example: "request.path" -> The path portion of the URL + Example: "request.path" -> The path portion of the URL' maxLength: 253 minLength: 1 type: string @@ -885,9 +826,8 @@ spec: a given period of time type: integer unit: - description: |- - Duration defines the time uni - Possible values are: "second", "minute", "hour", "day" + description: 'Duration defines the time uni Possible + values are: "second", "minute", "hour", "day"' enum: - second - minute @@ -904,102 +844,92 @@ spec: description: RouteSelectors defines semantics for matching an HTTP request based on conditions items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: hostnames: - description: |- - Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Hostnames defines a set of hostname that + should match against the HTTP Host header to select + a HTTPRoute to process the request https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. + description: "Hostname is the fully qualified domain + name of a network host. This matches the RFC 1123 + definition of a hostname with 2 notable exceptions: + \n 1. IPs are not allowed. 2. A hostname may be + prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + \n Hostname can be \"precise\" which is a domain + name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", + which is a domain name prefixed with a single + wildcard label (e.g. `*.example.com`). \n Note + that as per RFC1035 and RFC1123, a *label* must + consist of lower case alphanumeric characters + or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed." maxLength: 253 minLength: 1 pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array matches: - description: |- - Matches define conditions used for matching the rule against incoming HTTP requests. - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: Matches define conditions used for matching + the rule against incoming HTTP requests. https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec items: description: "HTTPRouteMatch defines the predicate - used to match requests to a given\naction. Multiple + used to match requests to a given action. Multiple match types are ANDed together, i.e. the match - will\nevaluate to true only if all conditions - are satisfied.\n\n\nFor example, the match below - will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` - header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t value: - \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + will evaluate to true only if all conditions are + satisfied. \n For example, the match below will + match a HTTP request only if its path starts with + `/foo` AND it contains the `version: v1` header: + \n ``` match: \n path: value: \"/foo\" headers: + - name: \"version\" value \"v1\" \n ```" properties: headers: - description: |- - Headers specifies HTTP request header matchers. Multiple match values are - ANDed together, meaning, a request must match all the specified headers - to select the route. + description: Headers specifies HTTP request + header matchers. Multiple match values are + ANDed together, meaning, a request must match + all the specified headers to select the route. items: - description: |- - HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request - headers. + description: HTTPHeaderMatch describes how + to select a HTTP route by matching HTTP + request headers. properties: name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - - - When a header is repeated in an HTTP request, it is - implementation-specific behavior as to how this is represented. - Generally, proxies should follow the guidance from the RFC: - https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding - processing a repeated header, with special handling for "Set-Cookie". + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, only the first entry with + an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent. \n When a header is repeated + in an HTTP request, it is implementation-specific + behavior as to how this is represented. + Generally, proxies should follow the + guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, + with special handling for \"Set-Cookie\"." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the header. - - - Support: Core (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression HeaderMatchType has implementation-specific - conformance, implementations can support POSIX, PCRE or any other dialects - of regular expressions. Please read the implementation's documentation to - determine the supported dialect. + description: "Type specifies how to match + against the value of the header. \n + Support: Core (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + HeaderMatchType has implementation-specific + conformance, implementations can support + POSIX, PCRE or any other dialects of + regular expressions. Please read the + implementation's documentation to determine + the supported dialect." enum: - Exact - RegularExpression @@ -1020,13 +950,10 @@ spec: - name x-kubernetes-list-type: map method: - description: |- - Method specifies HTTP method matcher. - When specified, this route will be matched only if the request has the - specified method. - - - Support: Extended + description: "Method specifies HTTP method matcher. + When specified, this route will be matched + only if the request has the specified method. + \n Support: Extended" enum: - GET - HEAD @@ -1042,20 +969,16 @@ spec: default: type: PathPrefix value: / - description: |- - Path specifies a HTTP request path matcher. If this field is not - specified, a default prefix match on the "/" path is provided. + description: Path specifies a HTTP request path + matcher. If this field is not specified, a + default prefix match on the "/" path is provided. properties: type: default: PathPrefix - description: |- - Type specifies how to match against the path Value. - - - Support: Core (Exact, PathPrefix) - - - Support: Implementation-specific (RegularExpression) + description: "Type specifies how to match + against the path Value. \n Support: Core + (Exact, PathPrefix) \n Support: Implementation-specific + (RegularExpression)" enum: - Exact - PathPrefix @@ -1117,60 +1040,55 @@ spec: ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") : true' queryParams: - description: |- - QueryParams specifies HTTP query parameter matchers. Multiple match - values are ANDed together, meaning, a request must match all the - specified query parameters to select the route. - - - Support: Extended + description: "QueryParams specifies HTTP query + parameter matchers. Multiple match values + are ANDed together, meaning, a request must + match all the specified query parameters to + select the route. \n Support: Extended" items: - description: |- - HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + description: HTTPQueryParamMatch describes + how to select a HTTP route by matching HTTP query parameters. properties: name: - description: |- - Name is the name of the HTTP query param to be matched. This must be an - exact string match. (See + description: "Name is the name of the + HTTP query param to be matched. This + must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - - - If multiple entries specify equivalent query param names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent query param name MUST be ignored. - - - If a query param is repeated in an HTTP request, the behavior is - purposely left undefined, since different data planes have different - capabilities. However, it is *recommended* that implementations should - match against the first value of the param if the data plane supports it, - as this behavior is expected in other load balancing contexts outside of - the Gateway API. - - - Users SHOULD NOT route traffic based on repeated query params to guard - themselves against potential differences in the implementations. + \n If multiple entries specify equivalent + query param names, only the first entry + with an equivalent name MUST be considered + for a match. Subsequent entries with + an equivalent query param name MUST + be ignored. \n If a query param is repeated + in an HTTP request, the behavior is + purposely left undefined, since different + data planes have different capabilities. + However, it is *recommended* that implementations + should match against the first value + of the param if the data plane supports + it, as this behavior is expected in + other load balancing contexts outside + of the Gateway API. \n Users SHOULD + NOT route traffic based on repeated + query params to guard themselves against + potential differences in the implementations." maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: default: Exact - description: |- - Type specifies how to match against the value of the query parameter. - - - Support: Extended (Exact) - - - Support: Implementation-specific (RegularExpression) - - - Since RegularExpression QueryParamMatchType has Implementation-specific - conformance, implementations can support POSIX, PCRE or any other - dialects of regular expressions. Please read the implementation's - documentation to determine the supported dialect. + description: "Type specifies how to match + against the value of the query parameter. + \n Support: Extended (Exact) \n Support: + Implementation-specific (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has Implementation-specific conformance, + implementations can support POSIX, PCRE + or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." enum: - Exact - RegularExpression @@ -1197,18 +1115,17 @@ spec: maxItems: 15 type: array when: - description: |- - When holds the list of conditions for the policy to be enforced. - Called also "soft" conditions as route selectors must also match + description: When holds the list of conditions for the policy + to be enforced. Called also "soft" conditions as route + selectors must also match items: - description: |- - RouteSelector defines semantics for matching an HTTP request based on conditions - https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec + description: RouteSelector defines semantics for matching + an HTTP request based on conditions https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec properties: operator: - description: |- - The binary operator to be applied to the content fetched from the selector - Possible values are: "eq" (equal to), "neq" (not equal to) + description: 'The binary operator to be applied to + the content fetched from the selector Possible values + are: "eq" (equal to), "neq" (not equal to)' enum: - eq - neq @@ -1219,9 +1136,9 @@ spec: - matches type: string selector: - description: |- - Selector defines one item from the well known selectors - TODO Document properly "Well-known selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors + description: Selector defines one item from the well + known selectors TODO Document properly "Well-known + selector" https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors maxLength: 253 minLength: 1 type: string @@ -1260,11 +1177,10 @@ spec: minLength: 1 type: string namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -1300,47 +1216,46 @@ spec: description: RateLimitPolicyStatus defines the observed state of RateLimitPolicy properties: conditions: - description: |- - Represents the observations of a foo's current state. - Known .status.conditions.type are: "Available" + description: 'Represents the observations of a foo''s current state. + Known .status.conditions.type are: "Available"' items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1354,12 +1269,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/bases/kuadrant.io_tlspolicies.yaml b/config/crd/bases/kuadrant.io_tlspolicies.yaml index 8cc9ed990..c1ff4a1ce 100644 --- a/config/crd/bases/kuadrant.io_tlspolicies.yaml +++ b/config/crd/bases/kuadrant.io_tlspolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 labels: gateway.networking.k8s.io/policy: direct name: tlspolicies.kuadrant.io @@ -41,19 +41,14 @@ spec: description: TLSPolicy is the Schema for the tlspolicies API properties: apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -61,30 +56,26 @@ spec: description: TLSPolicySpec defines the desired state of TLSPolicy properties: commonName: - description: |- - CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to avoid - generating invalid CSRs. - This value is ignored by TLS clients when any subject alt name is set. - This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' type: string duration: - description: |- - The requested 'duration' (i.e. lifetime) of the Certificate. This option - may be ignored/overridden by some issuer types. If unset this defaults to - 90 days. Certificate will be renewed either 2/3 through its duration or - `renewBefore` period before its expiry, whichever is later. Minimum - accepted duration is 1 hour. Value must be in units accepted by Go - time.ParseDuration https://golang.org/pkg/time/#ParseDuration + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string issuerRef: - description: |- - IssuerRef is a reference to the issuer for this certificate. + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource - with the given name in the same namespace as the Certificate will be used. - If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the - provided name will be used. - The `name` field in this stanza is required at all times. + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. properties: group: description: Group of the resource being referred to. @@ -102,81 +93,75 @@ spec: description: Options to control private keys used for the Certificate. properties: algorithm: - description: |- - Algorithm is the private key algorithm of the corresponding private key - for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` - If `algorithm` is specified and `size` is not provided, - key size of 256 will be used for `ECDSA` key algorithm and - key size of 2048 will be used for `RSA` key algorithm. - key size is ignored when using the `Ed25519` key algorithm. + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. enum: - RSA - ECDSA - Ed25519 type: string encoding: - description: |- - The private key cryptography standards (PKCS) encoding for this - certificate's private key to be encoded in. - If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 - and PKCS#8, respectively. - Defaults to `PKCS1` if not specified. + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. enum: - PKCS1 - PKCS8 type: string rotationPolicy: - description: |- - RotationPolicy controls how private keys should be regenerated when a - re-issuance is being processed. - If set to Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists but it - does not have the correct algorithm or size, a warning will be raised - to await user intervention. - If set to Always, a private key matching the specified requirements - will be generated whenever a re-issuance occurs. - Default is 'Never' for backward compatibility. + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. enum: - Never - Always type: string size: - description: |- - Size is the key bit size of the corresponding private key for this certificate. - If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, - and will default to `2048` if not specified. - If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, - and will default to `256` if not specified. - If `algorithm` is set to `Ed25519`, Size is ignored. + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. type: integer type: object renewBefore: - description: |- - How long before the currently issued certificate's expiry - cert-manager should renew the certificate. The default is 2/3 of the - issued certificate's duration. Minimum accepted value is 5 minutes. - Value must be in units accepted by Go time.ParseDuration - https://golang.org/pkg/time/#ParseDuration + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration type: string revisionHistoryLimit: - description: |- - RevisionHistoryLimit is the maximum number of CertificateRequest revisions - that are maintained in the Certificate's history. Each revision represents - a single `CertificateRequest` created by this Certificate, either when it - was created, renewed, or Spec was changed. Revisions will be removed by - oldest first if the number of revisions exceeds this number. If set, - revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), - revisions will not be garbage collected. Default value is `nil`. + description: RevisionHistoryLimit is the maximum number of CertificateRequest + revisions that are maintained in the Certificate's history. Each + revision represents a single `CertificateRequest` created by this + Certificate, either when it was created, renewed, or Spec was changed. + Revisions will be removed by oldest first if the number of revisions + exceeds this number. If set, revisionHistoryLimit must be a value + of `1` or greater. If unset (`nil`), revisions will not be garbage + collected. Default value is `nil`. format: int32 type: integer targetRef: - description: |- - PolicyTargetReference identifies an API object to apply a direct or - inherited policy to. This should be used as part of Policy resources - that can target Gateway API resources. For more information on how this - policy attachment model works, and a sample Policy resource, refer to - the policy attachment documentation for Gateway API. + description: PolicyTargetReference identifies an API object to apply + a direct or inherited policy to. This should be used as part of + Policy resources that can target Gateway API resources. For more + information on how this policy attachment model works, and a sample + Policy resource, refer to the policy attachment documentation for + Gateway API. properties: group: description: Group is the group of the target resource. @@ -195,11 +180,10 @@ spec: minLength: 1 type: string namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, the local - namespace is inferred. Even when policy targets a resource in a different - namespace, it MUST only apply to traffic originating from the same - namespace as the policy. + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it MUST only apply + to traffic originating from the same namespace as the policy. maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ @@ -210,41 +194,19 @@ spec: - name type: object usages: - description: |- - Usages is the set of x509 usages that are requested for the certificate. - Defaults to `digital signature` and `key encipherment` if not specified. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + if not specified. items: - description: |- - KeyUsage specifies valid usage contexts for keys. - See: - https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - - - Valid KeyUsage values are as follows: - "signing", - "digital signature", - "content commitment", - "key encipherment", - "key agreement", - "data encipherment", - "cert sign", - "crl sign", - "encipher only", - "decipher only", - "any", - "server auth", - "client auth", - "code signing", - "email protection", - "s/mime", - "ipsec end system", - "ipsec tunnel", - "ipsec user", - "timestamping", - "ocsp signing", - "microsoft sgc", - "netscape sgc" + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" enum: - signing - digital signature @@ -279,50 +241,47 @@ spec: description: TLSPolicyStatus defines the observed state of TLSPolicy properties: conditions: - description: |- - conditions are any conditions associated with the policy - - - If configuring the policy fails, the "Failed" condition will be set with a - reason and message describing the cause of the failure. + description: "conditions are any conditions associated with the policy + \n If configuring the policy fails, the \"Failed\" condition will + be set with a reason and message describing the cause of the failure." items: description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" properties: lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. format: date-time type: string message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. format: int64 minimum: 0 type: integer reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -336,12 +295,11 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -354,11 +312,10 @@ spec: type: object type: array observedGeneration: - description: |- - observedGeneration is the most recently observed generation of the - TLSPolicy. When the TLSPolicy is updated, the controller updates the - corresponding configuration. If an update fails, that failure is - recorded in the status condition + description: observedGeneration is the most recently observed generation + of the TLSPolicy. When the TLSPolicy is updated, the controller + updates the corresponding configuration. If an update fails, that + failure is recorded in the status condition format: int64 type: integer type: object diff --git a/config/dependencies/authorino/kustomization.yaml b/config/dependencies/authorino/kustomization.yaml index 2281ecbbb..62efc99bd 100644 --- a/config/dependencies/authorino/kustomization.yaml +++ b/config/dependencies/authorino/kustomization.yaml @@ -1,2 +1,2 @@ resources: -- github.com/Kuadrant/authorino-operator/config/deploy?ref=main +- github.com/Kuadrant/authorino-operator/config/deploy?ref=v0.11.1 diff --git a/config/dependencies/dns/kustomization.yaml b/config/dependencies/dns/kustomization.yaml index f7abc9be3..e649c23e6 100644 --- a/config/dependencies/dns/kustomization.yaml +++ b/config/dependencies/dns/kustomization.yaml @@ -1,5 +1,5 @@ resources: -- github.com/kuadrant/dns-operator/config/default?ref=main +- github.com/kuadrant/dns-operator/config/default?ref=v0.2.0-rc1 patches: - path: deployment_patch.yaml diff --git a/config/dependencies/limitador/kustomization.yaml b/config/dependencies/limitador/kustomization.yaml index ca74b6b82..81b9d45f4 100644 --- a/config/dependencies/limitador/kustomization.yaml +++ b/config/dependencies/limitador/kustomization.yaml @@ -1,2 +1,2 @@ resources: -- github.com/Kuadrant/limitador-operator/config/default?ref=main +- github.com/Kuadrant/limitador-operator/config/default?ref=v0.8.0-rc.1 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index f44157fc4..77c88668f 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -10,4 +10,4 @@ kind: Kustomization images: - name: controller newName: quay.io/kuadrant/kuadrant-operator - newTag: latest + newTag: v0.7.0-rc1 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index c893739f8..a5b5e924f 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -29,7 +29,7 @@ spec: - /manager env: - name: RELATED_IMAGE_WASMSHIM - value: "oci://quay.io/kuadrant/wasm-shim:latest" + value: "oci://quay.io/kuadrant/wasm-shim:v0.4.0-rc1" image: controller:latest name: manager securityContext: diff --git a/config/manifests/bases/kuadrant-operator.clusterserviceversion.yaml b/config/manifests/bases/kuadrant-operator.clusterserviceversion.yaml index 98b13550a..77fdf7fbb 100644 --- a/config/manifests/bases/kuadrant-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/kuadrant-operator.clusterserviceversion.yaml @@ -5,12 +5,12 @@ metadata: alm-examples: '[]' capabilities: Basic Install categories: Integration & Delivery - containerImage: quay.io/kuadrant/kuadrant-operator:latest + containerImage: quay.io/kuadrant/kuadrant-operator:v0.7.0-rc1 operators.operatorframework.io/builder: operator-sdk-v1.9.0 operators.operatorframework.io/project_layout: unknown repository: https://github.com/Kuadrant/kuadrant-operator support: kuadrant - name: kuadrant-operator.v0.0.0 + name: kuadrant-operator.v0.7.0-rc1 namespace: placeholder spec: apiservicedefinitions: {} @@ -101,5 +101,5 @@ spec: provider: name: Red Hat url: https://github.com/Kuadrant/kuadrant-operator - replaces: kuadrant-operator.v0.0.0-alpha - version: 0.0.0 + replaces: kuadrant-operator.v0.6.1 + version: 0.7.0-rc1