--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.2 creationTimestamp: null name: ngrokmodulesets.ingress.k8s.ngrok.com spec: group: ingress.k8s.ngrok.com names: kind: NgrokModuleSet listKind: NgrokModuleSetList plural: ngrokmodulesets singular: ngrokmoduleset scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: NgrokModuleSet is the Schema for the ngrokmodules API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object modules: properties: circuitBreaker: description: CircuitBreaker configuration for this module set properties: errorThresholdPercentage: anyOf: - type: integer - type: string description: Error threshold percentage should be between 0 - 1.0, not 0-100.0 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true numBuckets: description: Integer number of buckets into which metrics are retained. Max 128. format: int32 maximum: 128 minimum: 1 type: integer rollingWindow: description: Statistical rolling window duration that metrics are retained for. format: duration type: string trippedDuration: description: Duration after which the circuit is tripped to wait before re-evaluating upstream health format: duration type: string volumeThreshold: description: Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low. format: int32 type: integer type: object compression: description: Compression configuration for this module set properties: enabled: description: Enabled is whether or not to enable compression for this endpoint type: boolean type: object headers: description: Header configuration for this module set properties: request: description: Request headers are the request headers module configuration or null properties: add: additionalProperties: type: string description: a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server type: object remove: description: a list of header names that will be removed from the HTTP Request before being sent to the upstream application server items: type: string type: array type: object response: description: Response headers are the response headers module configuration or null properties: add: additionalProperties: type: string description: a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client type: object remove: description: a list of header names that will be removed from the HTTP Response returned to the HTTP client items: type: string type: array type: object type: object ipRestriction: description: IPRestriction configuration for this module set properties: policies: items: type: string type: array type: object oauth: description: OAuth configuration for this module set properties: amazon: description: configuration for using amazon as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object facebook: description: configuration for using facebook as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object github: description: configuration for using github as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean organizations: description: a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug' items: type: string type: array scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array teams: description: a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name items: type: string type: array type: object gitlab: description: configuration for using gitlab as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object google: description: configuration for using google as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object linkedin: description: configuration for using linkedin as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object microsoft: description: configuration for using microsoft as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object twitch: description: configuration for using twitch as the identity provider properties: authCheckInterval: description: Duration after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource. format: duration type: string clientId: description: the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, clientSecret must be present as well. type: string clientSecret: description: the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for clientId. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string emailAddresses: description: a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array emailDomains: description: a list of email domains of users authenticated by identity provider who are allowed access to the endpoint items: type: string type: array inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes) items: type: string type: array type: object type: object oidc: description: OIDC configuration for this module set properties: clientId: description: The OIDC app's client ID and OIDC audience. type: string clientSecret: description: The OIDC app's client secret. properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string issuer: description: URL of the OIDC "OpenID provider". This is the base URL used for discovery. type: string maximumDuration: description: The maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean scopes: description: The set of scopes to request from the OIDC identity provider. items: type: string type: array type: object saml: description: SAML configuration for this module set properties: allowIdpInitiated: description: If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed. type: boolean authorizedGroups: description: If present, only users who are a member of one of the listed groups may access the target endpoint. items: type: string type: array cookiePrefix: description: the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.' type: string forceAuthn: description: If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP. type: boolean idpMetadata: description: The full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file to download or as a URL. type: string inactivityTimeout: description: Duration of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate. format: duration type: string maximumDuration: description: The maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate. format: duration type: string nameidFormat: description: Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported. type: string optionsPassthrough: description: Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS. type: boolean type: object tlsTermination: description: TLSTermination configuration for this module set properties: minVersion: description: MinVersion is the minimum TLS version to allow for connections to the edge type: string type: object webhookVerification: description: WebhookVerification configuration for this module set properties: provider: description: a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers defined at https://ngrok.com/docs/http/webhook-verification/#supported-providers type: string secret: description: SecretRef is a reference to a secret containing the secret used to validate requests from the given provider. All providers except AWS SNS require a secret properties: key: description: Key in the secret to use type: string name: description: Name of the Kubernetes secret type: string type: object type: object type: object type: object served: true storage: true subresources: status: {}