369 lines
15 KiB
YAML
369 lines
15 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.14.0
|
|
name: accesscontrolpolicies.hub.traefik.io
|
|
spec:
|
|
group: hub.traefik.io
|
|
names:
|
|
kind: AccessControlPolicy
|
|
listKind: AccessControlPolicyList
|
|
plural: accesscontrolpolicies
|
|
singular: accesscontrolpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: AccessControlPolicy defines an access control policy.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: AccessControlPolicySpec configures an access control policy.
|
|
properties:
|
|
apiKey:
|
|
description: AccessControlPolicyAPIKey configure an APIKey control
|
|
policy.
|
|
properties:
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
description: ForwardHeaders instructs the middleware to forward
|
|
key metadata as header values upon successful authentication.
|
|
type: object
|
|
keySource:
|
|
description: KeySource defines how to extract API keys from requests.
|
|
properties:
|
|
cookie:
|
|
description: Cookie is the name of a cookie.
|
|
type: string
|
|
header:
|
|
description: Header is the name of a header.
|
|
type: string
|
|
headerAuthScheme:
|
|
description: |-
|
|
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
|
|
If set, this scheme is removed from the token, and all requests not including it are dropped.
|
|
type: string
|
|
query:
|
|
description: Query is the name of a query parameter.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys define the set of authorized keys to access
|
|
a protected resource.
|
|
items:
|
|
description: AccessControlPolicyAPIKeyKey defines an API key.
|
|
properties:
|
|
id:
|
|
description: ID is the unique identifier of the key.
|
|
type: string
|
|
metadata:
|
|
additionalProperties:
|
|
type: string
|
|
description: Metadata holds arbitrary metadata for this
|
|
key, can be used by ForwardHeaders.
|
|
type: object
|
|
value:
|
|
description: Value is the SHAKE-256 hash (using 64 bytes)
|
|
of the API key.
|
|
type: string
|
|
required:
|
|
- id
|
|
- value
|
|
type: object
|
|
type: array
|
|
required:
|
|
- keySource
|
|
type: object
|
|
basicAuth:
|
|
description: AccessControlPolicyBasicAuth holds the HTTP basic authentication
|
|
configuration.
|
|
properties:
|
|
forwardUsernameHeader:
|
|
type: string
|
|
realm:
|
|
type: string
|
|
stripAuthorizationHeader:
|
|
type: boolean
|
|
users:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jwt:
|
|
description: AccessControlPolicyJWT configures a JWT access control
|
|
policy.
|
|
properties:
|
|
claims:
|
|
type: string
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
jwksFile:
|
|
type: string
|
|
jwksUrl:
|
|
type: string
|
|
publicKey:
|
|
type: string
|
|
signingSecret:
|
|
type: string
|
|
signingSecretBase64Encoded:
|
|
type: boolean
|
|
stripAuthorizationHeader:
|
|
type: boolean
|
|
tokenQueryKey:
|
|
type: string
|
|
type: object
|
|
oAuthIntro:
|
|
description: AccessControlOAuthIntro configures an OAuth 2.0 Token
|
|
Introspection access control policy.
|
|
properties:
|
|
claims:
|
|
type: string
|
|
clientConfig:
|
|
description: AccessControlOAuthIntroClientConfig configures the
|
|
OAuth 2.0 client for issuing token introspection requests.
|
|
properties:
|
|
headers:
|
|
additionalProperties:
|
|
type: string
|
|
description: Headers to set when sending requests to the Authorization
|
|
Server.
|
|
type: object
|
|
maxRetries:
|
|
default: 3
|
|
description: MaxRetries defines the number of retries for
|
|
introspection requests.
|
|
type: integer
|
|
timeoutSeconds:
|
|
default: 5
|
|
description: TimeoutSeconds configures the maximum amount
|
|
of seconds to wait before giving up on requests.
|
|
type: integer
|
|
tls:
|
|
description: TLS configures TLS communication with the Authorization
|
|
Server.
|
|
properties:
|
|
ca:
|
|
description: CA sets the CA bundle used to sign the Authorization
|
|
Server certificate.
|
|
type: string
|
|
insecureSkipVerify:
|
|
description: |-
|
|
InsecureSkipVerify skips the Authorization Server certificate validation.
|
|
For testing purposes only, do not use in production.
|
|
type: boolean
|
|
type: object
|
|
tokenTypeHint:
|
|
description: |-
|
|
TokenTypeHint is a hint to pass to the Authorization Server.
|
|
See https://tools.ietf.org/html/rfc7662#section-2.1 for more information.
|
|
type: string
|
|
url:
|
|
description: URL of the Authorization Server.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
tokenSource:
|
|
description: |-
|
|
TokenSource describes how to extract tokens from HTTP requests.
|
|
If multiple sources are set, the order is the following: header > query > cookie.
|
|
properties:
|
|
cookie:
|
|
description: Cookie is the name of a cookie.
|
|
type: string
|
|
header:
|
|
description: Header is the name of a header.
|
|
type: string
|
|
headerAuthScheme:
|
|
description: |-
|
|
HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization".
|
|
If set, this scheme is removed from the token, and all requests not including it are dropped.
|
|
type: string
|
|
query:
|
|
description: Query is the name of a query parameter.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- clientConfig
|
|
- tokenSource
|
|
type: object
|
|
oidc:
|
|
description: AccessControlPolicyOIDC holds the OIDC authentication
|
|
configuration.
|
|
properties:
|
|
authParams:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
claims:
|
|
type: string
|
|
clientId:
|
|
type: string
|
|
disableAuthRedirectionPaths:
|
|
items:
|
|
type: string
|
|
type: array
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
type: string
|
|
logoutUrl:
|
|
type: string
|
|
redirectUrl:
|
|
type: string
|
|
scopes:
|
|
items:
|
|
type: string
|
|
type: array
|
|
secret:
|
|
description: |-
|
|
SecretReference represents a Secret Reference. It has enough information to retrieve secret
|
|
in any namespace
|
|
properties:
|
|
name:
|
|
description: name is unique within a namespace to reference
|
|
a secret resource.
|
|
type: string
|
|
namespace:
|
|
description: namespace defines the space within which the
|
|
secret name must be unique.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
session:
|
|
description: Session holds session configuration.
|
|
properties:
|
|
domain:
|
|
type: string
|
|
path:
|
|
type: string
|
|
refresh:
|
|
type: boolean
|
|
sameSite:
|
|
type: string
|
|
secure:
|
|
type: boolean
|
|
type: object
|
|
stateCookie:
|
|
description: StateCookie holds state cookie configuration.
|
|
properties:
|
|
domain:
|
|
type: string
|
|
path:
|
|
type: string
|
|
sameSite:
|
|
type: string
|
|
secure:
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
oidcGoogle:
|
|
description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication
|
|
configuration.
|
|
properties:
|
|
authParams:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
clientId:
|
|
type: string
|
|
emails:
|
|
description: Emails are the allowed emails to connect.
|
|
items:
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
forwardHeaders:
|
|
additionalProperties:
|
|
type: string
|
|
type: object
|
|
logoutUrl:
|
|
type: string
|
|
redirectUrl:
|
|
type: string
|
|
secret:
|
|
description: |-
|
|
SecretReference represents a Secret Reference. It has enough information to retrieve secret
|
|
in any namespace
|
|
properties:
|
|
name:
|
|
description: name is unique within a namespace to reference
|
|
a secret resource.
|
|
type: string
|
|
namespace:
|
|
description: namespace defines the space within which the
|
|
secret name must be unique.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
session:
|
|
description: Session holds session configuration.
|
|
properties:
|
|
domain:
|
|
type: string
|
|
path:
|
|
type: string
|
|
refresh:
|
|
type: boolean
|
|
sameSite:
|
|
type: string
|
|
secure:
|
|
type: boolean
|
|
type: object
|
|
stateCookie:
|
|
description: StateCookie holds state cookie configuration.
|
|
properties:
|
|
domain:
|
|
type: string
|
|
path:
|
|
type: string
|
|
sameSite:
|
|
type: string
|
|
secure:
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: The current status of this access control policy.
|
|
properties:
|
|
specHash:
|
|
type: string
|
|
syncedAt:
|
|
format: date-time
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|