---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  name: accesscontrolpolicies.hub.traefik.io
spec:
  group: hub.traefik.io
  names:
    kind: AccessControlPolicy
    listKind: AccessControlPolicyList
    plural: accesscontrolpolicies
    singular: accesscontrolpolicy
  scope: Cluster
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: AccessControlPolicy defines an access control policy.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: AccessControlPolicySpec configures an access control policy.
            properties:
              apiKey:
                description: AccessControlPolicyAPIKey configure an APIKey control
                  policy.
                properties:
                  forwardHeaders:
                    additionalProperties:
                      type: string
                    description: ForwardHeaders instructs the middleware to forward
                      key metadata as header values upon successful authentication.
                    type: object
                  keySource:
                    description: KeySource defines how to extract API keys from requests.
                    properties:
                      cookie:
                        description: Cookie is the name of a cookie.
                        type: string
                      header:
                        description: Header is the name of a header.
                        type: string
                      headerAuthScheme:
                        description: |-
                          HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
                          If set, this scheme is removed from the token, and all requests not including it are dropped.
                        type: string
                      query:
                        description: Query is the name of a query parameter.
                        type: string
                    type: object
                  keys:
                    description: Keys define the set of authorized keys to access
                      a protected resource.
                    items:
                      description: AccessControlPolicyAPIKeyKey defines an API key.
                      properties:
                        id:
                          description: ID is the unique identifier of the key.
                          type: string
                        metadata:
                          additionalProperties:
                            type: string
                          description: Metadata holds arbitrary metadata for this
                            key, can be used by ForwardHeaders.
                          type: object
                        value:
                          description: Value is the SHAKE-256 hash (using 64 bytes)
                            of the API key.
                          type: string
                      required:
                      - id
                      - value
                      type: object
                    type: array
                required:
                - keySource
                type: object
              basicAuth:
                description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
                  configuration.
                properties:
                  forwardUsernameHeader:
                    type: string
                  realm:
                    type: string
                  stripAuthorizationHeader:
                    type: boolean
                  users:
                    items:
                      type: string
                    type: array
                type: object
              jwt:
                description: AccessControlPolicyJWT configures a JWT access control
                  policy.
                properties:
                  claims:
                    type: string
                  forwardHeaders:
                    additionalProperties:
                      type: string
                    type: object
                  jwksFile:
                    type: string
                  jwksUrl:
                    type: string
                  publicKey:
                    type: string
                  signingSecret:
                    type: string
                  signingSecretBase64Encoded:
                    type: boolean
                  stripAuthorizationHeader:
                    type: boolean
                  tokenQueryKey:
                    type: string
                type: object
              oAuthIntro:
                description: AccessControlOAuthIntro configures an OAuth 2.0 Token
                  Introspection access control policy.
                properties:
                  claims:
                    type: string
                  clientConfig:
                    description: AccessControlOAuthIntroClientConfig configures the
                      OAuth 2.0 client for issuing token introspection requests.
                    properties:
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers to set when sending requests to the Authorization
                          Server.
                        type: object
                      maxRetries:
                        default: 3
                        description: MaxRetries defines the number of retries for
                          introspection requests.
                        type: integer
                      timeoutSeconds:
                        default: 5
                        description: TimeoutSeconds configures the maximum amount
                          of seconds to wait before giving up on requests.
                        type: integer
                      tls:
                        description: TLS configures TLS communication with the Authorization
                          Server.
                        properties:
                          ca:
                            description: CA sets the CA bundle used to sign the Authorization
                              Server certificate.
                            type: string
                          insecureSkipVerify:
                            description: |-
                              InsecureSkipVerify skips the Authorization Server certificate validation.
                              For testing purposes only, do not use in production.
                            type: boolean
                        type: object
                      tokenTypeHint:
                        description: |-
                          TokenTypeHint is a hint to pass to the Authorization Server.
                          See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
                        type: string
                      url:
                        description: URL of the Authorization Server.
                        type: string
                    required:
                    - url
                    type: object
                  forwardHeaders:
                    additionalProperties:
                      type: string
                    type: object
                  tokenSource:
                    description: |-
                      TokenSource describes how to extract tokens from HTTP requests.
                      If multiple sources are set, the order is the following: header > query > cookie.
                    properties:
                      cookie:
                        description: Cookie is the name of a cookie.
                        type: string
                      header:
                        description: Header is the name of a header.
                        type: string
                      headerAuthScheme:
                        description: |-
                          HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
                          If set, this scheme is removed from the token, and all requests not including it are dropped.
                        type: string
                      query:
                        description: Query is the name of a query parameter.
                        type: string
                    type: object
                required:
                - clientConfig
                - tokenSource
                type: object
              oidc:
                description: AccessControlPolicyOIDC holds the OIDC authentication
                  configuration.
                properties:
                  authParams:
                    additionalProperties:
                      type: string
                    type: object
                  claims:
                    type: string
                  clientId:
                    type: string
                  disableAuthRedirectionPaths:
                    items:
                      type: string
                    type: array
                  forwardHeaders:
                    additionalProperties:
                      type: string
                    type: object
                  issuer:
                    type: string
                  logoutUrl:
                    type: string
                  redirectUrl:
                    type: string
                  scopes:
                    items:
                      type: string
                    type: array
                  secret:
                    description: |-
                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
                      in any namespace
                    properties:
                      name:
                        description: name is unique within a namespace to reference
                          a secret resource.
                        type: string
                      namespace:
                        description: namespace defines the space within which the
                          secret name must be unique.
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  session:
                    description: Session holds session configuration.
                    properties:
                      domain:
                        type: string
                      path:
                        type: string
                      refresh:
                        type: boolean
                      sameSite:
                        type: string
                      secure:
                        type: boolean
                    type: object
                  stateCookie:
                    description: StateCookie holds state cookie configuration.
                    properties:
                      domain:
                        type: string
                      path:
                        type: string
                      sameSite:
                        type: string
                      secure:
                        type: boolean
                    type: object
                type: object
              oidcGoogle:
                description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
                  configuration.
                properties:
                  authParams:
                    additionalProperties:
                      type: string
                    type: object
                  clientId:
                    type: string
                  emails:
                    description: Emails are the allowed emails to connect.
                    items:
                      type: string
                    minItems: 1
                    type: array
                  forwardHeaders:
                    additionalProperties:
                      type: string
                    type: object
                  logoutUrl:
                    type: string
                  redirectUrl:
                    type: string
                  secret:
                    description: |-
                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
                      in any namespace
                    properties:
                      name:
                        description: name is unique within a namespace to reference
                          a secret resource.
                        type: string
                      namespace:
                        description: namespace defines the space within which the
                          secret name must be unique.
                        type: string
                    type: object
                    x-kubernetes-map-type: atomic
                  session:
                    description: Session holds session configuration.
                    properties:
                      domain:
                        type: string
                      path:
                        type: string
                      refresh:
                        type: boolean
                      sameSite:
                        type: string
                      secure:
                        type: boolean
                    type: object
                  stateCookie:
                    description: StateCookie holds state cookie configuration.
                    properties:
                      domain:
                        type: string
                      path:
                        type: string
                      sameSite:
                        type: string
                      secure:
                        type: boolean
                    type: object
                type: object
            type: object
          status:
            description: The current status of this access control policy.
            properties:
              specHash:
                type: string
              syncedAt:
                format: date-time
                type: string
              version:
                type: string
            type: object
        type: object
    served: true
    storage: true