1063 lines
59 KiB
YAML
1063 lines
59 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.14.0
|
|
name: httpsedges.ingress.k8s.ngrok.com
|
|
spec:
|
|
group: ingress.k8s.ngrok.com
|
|
names:
|
|
kind: HTTPSEdge
|
|
listKind: HTTPSEdgeList
|
|
plural: httpsedges
|
|
singular: httpsedge
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: HTTPSEdge is the Schema for the httpsedges API
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: HTTPSEdgeSpec defines the desired state of HTTPSEdge
|
|
properties:
|
|
description:
|
|
default: Created by kubernetes-ingress-controller
|
|
description: Description is a human-readable description of the object
|
|
in the ngrok API/Dashboard
|
|
type: string
|
|
hostports:
|
|
description: Hostports is a list of hostports served by this edge
|
|
items:
|
|
type: string
|
|
type: array
|
|
metadata:
|
|
default: '{"owned-by":"kubernetes-ingress-controller"}'
|
|
description: Metadata is a string of arbitrary data associated with
|
|
the object in the ngrok API/Dashboard
|
|
type: string
|
|
mutualTLS:
|
|
properties:
|
|
certificateAuthorities:
|
|
description: |-
|
|
List of CA IDs that will be used to validate incoming connections to the
|
|
edge.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
routes:
|
|
description: Routes is a list of routes served by this edge
|
|
items:
|
|
properties:
|
|
backend:
|
|
description: |-
|
|
Backend is the definition for the tunnel group backend
|
|
that serves traffic for this edge
|
|
properties:
|
|
description:
|
|
default: Created by kubernetes-ingress-controller
|
|
description: Description is a human-readable description
|
|
of the object in the ngrok API/Dashboard
|
|
type: string
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels to watch for tunnels on this backend
|
|
type: object
|
|
metadata:
|
|
default: '{"owned-by":"kubernetes-ingress-controller"}'
|
|
description: Metadata is a string of arbitrary data associated
|
|
with the object in the ngrok API/Dashboard
|
|
type: string
|
|
type: object
|
|
circuitBreaker:
|
|
description: CircuitBreaker is a circuit breaker configuration
|
|
to apply to this route
|
|
properties:
|
|
errorThresholdPercentage:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: Error threshold percentage should be between
|
|
0 - 1.0, not 0-100.0
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
numBuckets:
|
|
description: Integer number of buckets into which metrics
|
|
are retained. Max 128.
|
|
format: int32
|
|
maximum: 128
|
|
minimum: 1
|
|
type: integer
|
|
rollingWindow:
|
|
description: Statistical rolling window duration that metrics
|
|
are retained for.
|
|
format: duration
|
|
type: string
|
|
trippedDuration:
|
|
description: Duration after which the circuit is tripped
|
|
to wait before re-evaluating upstream health
|
|
format: duration
|
|
type: string
|
|
volumeThreshold:
|
|
description: |-
|
|
Integer number of requests in a rolling window that will trip the circuit.
|
|
Helpful if traffic volume is low.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
compression:
|
|
description: Compression is whether or not to enable compression
|
|
for this route
|
|
properties:
|
|
enabled:
|
|
description: Enabled is whether or not to enable compression
|
|
for this endpoint
|
|
type: boolean
|
|
type: object
|
|
description:
|
|
default: Created by kubernetes-ingress-controller
|
|
description: Description is a human-readable description of
|
|
the object in the ngrok API/Dashboard
|
|
type: string
|
|
headers:
|
|
description: Headers are request/response headers to apply to
|
|
this route
|
|
properties:
|
|
request:
|
|
description: Request headers are the request headers module
|
|
configuration or null
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
a map of header key to header value that will be injected into the HTTP Request
|
|
before being sent to the upstream application server
|
|
type: object
|
|
remove:
|
|
description: |-
|
|
a list of header names that will be removed from the HTTP Request before being
|
|
sent to the upstream application server
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
response:
|
|
description: Response headers are the response headers module
|
|
configuration or null
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
a map of header key to header value that will be injected into the HTTP Response
|
|
returned to the HTTP client
|
|
type: object
|
|
remove:
|
|
description: |-
|
|
a list of header names that will be removed from the HTTP Response returned to
|
|
the HTTP client
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
ipRestriction:
|
|
description: IPRestriction is an IPRestriction to apply to this
|
|
route
|
|
properties:
|
|
policies:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
match:
|
|
description: Match is the value to match against the request
|
|
path
|
|
type: string
|
|
matchType:
|
|
description: 'MatchType is the type of match to use for this
|
|
route. Valid values are:'
|
|
enum:
|
|
- exact_path
|
|
- path_prefix
|
|
type: string
|
|
metadata:
|
|
default: '{"owned-by":"kubernetes-ingress-controller"}'
|
|
description: Metadata is a string of arbitrary data associated
|
|
with the object in the ngrok API/Dashboard
|
|
type: string
|
|
oauth:
|
|
description: OAuth configuration to apply to this route
|
|
properties:
|
|
amazon:
|
|
description: configuration for using amazon as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
facebook:
|
|
description: configuration for using facebook as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
github:
|
|
description: configuration for using github as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
organizations:
|
|
description: |-
|
|
a list of github org identifiers. users who are members of any of the listed
|
|
organizations will be allowed access. identifiers should be the organization's
|
|
'slug'
|
|
items:
|
|
type: string
|
|
type: array
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
teams:
|
|
description: |-
|
|
a list of github teams identifiers. users will be allowed access to the endpoint
|
|
if they are a member of any of these teams. identifiers should be in the 'slug'
|
|
format qualified with the org name, e.g. org-name/team-name
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
gitlab:
|
|
description: configuration for using gitlab as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
google:
|
|
description: configuration for using google as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
linkedin:
|
|
description: configuration for using linkedin as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
microsoft:
|
|
description: configuration for using microsoft as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
twitch:
|
|
description: configuration for using twitch as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: |-
|
|
Duration after which ngrok guarantees it will refresh user
|
|
state from the identity provider and recheck whether the user is still
|
|
authorized to access the endpoint. This is the preferred tunable to use to
|
|
enforce a minimum amount of time after which a revoked user will no longer be
|
|
able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: |-
|
|
the OAuth app client ID. retrieve it from the identity provider's dashboard
|
|
where you created your own OAuth app. optional. if unspecified, ngrok will use
|
|
its own managed oauth application which has additional restrictions. see the
|
|
OAuth module docs for more details. if present, clientSecret must be present as
|
|
well.
|
|
type: string
|
|
clientSecret:
|
|
description: |-
|
|
the OAuth app client secret. retrieve if from the identity provider's dashboard
|
|
where you created your own OAuth app. optional, see all of the caveats in the
|
|
docs for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: |-
|
|
a list of email addresses of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: |-
|
|
a list of email domains of users authenticated by identity provider who are
|
|
allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
Integer number of seconds of the maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: |-
|
|
a list of provider-specific OAuth scopes with the permissions your OAuth app
|
|
would like to ask for. these may not be set if you are using the ngrok-managed
|
|
oauth app (i.e. you must pass both client_id and client_secret to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
oidc:
|
|
description: OIDC is the OpenID Connect configuration to apply
|
|
to this route
|
|
properties:
|
|
clientId:
|
|
description: The OIDC app's client ID and OIDC audience.
|
|
type: string
|
|
clientSecret:
|
|
description: The OIDC app's client secret.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
issuer:
|
|
description: URL of the OIDC "OpenID provider". This is
|
|
the base URL used for discovery.
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
The maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: The set of scopes to request from the OIDC
|
|
identity provider.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
policy:
|
|
description: raw json policy string that was applied to the
|
|
ngrok API
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
saml:
|
|
description: SAML is the SAML configuration to apply to this
|
|
route
|
|
properties:
|
|
allowIdpInitiated:
|
|
description: |-
|
|
If true, the IdP may initiate a login directly (e.g. the user does not need to
|
|
visit the endpoint first and then be redirected). The IdP should set the
|
|
RelayState parameter to the target URL of the resource they want the user to be
|
|
redirected to after the SAML login assertion has been processed.
|
|
type: boolean
|
|
authorizedGroups:
|
|
description: |-
|
|
If present, only users who are a member of one of the listed groups may access
|
|
the target endpoint.
|
|
items:
|
|
type: string
|
|
type: array
|
|
cookiePrefix:
|
|
description: |-
|
|
the prefix of the session cookie that ngrok sets on the http client to cache
|
|
authentication. default is 'ngrok.'
|
|
type: string
|
|
forceAuthn:
|
|
description: |-
|
|
If true, indicates that whenever we redirect a user to the IdP for
|
|
authentication that the IdP must prompt the user for authentication credentials
|
|
even if the user already has a valid session with the IdP.
|
|
type: boolean
|
|
idpMetadata:
|
|
description: |-
|
|
The full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file
|
|
to download or as a URL.
|
|
type: string
|
|
inactivityTimeout:
|
|
description: |-
|
|
Duration of inactivity after which if the user has not accessed
|
|
the endpoint, their session will time out and they will be forced to
|
|
reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: |-
|
|
The maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
nameidFormat:
|
|
description: |-
|
|
Defines the name identifier format the SP expects the IdP to use in its
|
|
assertions to identify subjects. If unspecified, a default value of
|
|
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of
|
|
the allowed values enumerated by the SAML specification are supported.
|
|
type: string
|
|
optionsPassthrough:
|
|
description: |-
|
|
Do not enforce authentication on HTTP OPTIONS requests. necessary if you are
|
|
supporting CORS.
|
|
type: boolean
|
|
type: object
|
|
webhookVerification:
|
|
description: WebhookVerification is webhook verification configuration
|
|
to apply to this route
|
|
properties:
|
|
provider:
|
|
description: |-
|
|
a string indicating which webhook provider will be sending webhooks to this
|
|
endpoint. Value must be one of the supported providers defined at
|
|
https://ngrok.com/docs/http/webhook-verification/#supported-providers
|
|
type: string
|
|
secret:
|
|
description: |-
|
|
SecretRef is a reference to a secret containing the secret used to validate
|
|
requests from the given provider. All providers except AWS SNS require a secret
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- match
|
|
- matchType
|
|
type: object
|
|
type: array
|
|
tlsTermination:
|
|
description: TLSTermination is the TLS termination configuration for
|
|
this edge
|
|
properties:
|
|
minVersion:
|
|
description: MinVersion is the minimum TLS version to allow for
|
|
connections to the edge
|
|
type: string
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: HTTPSEdgeStatus defines the observed state of HTTPSEdge
|
|
properties:
|
|
id:
|
|
description: ID is the unique identifier for this edge
|
|
type: string
|
|
routes:
|
|
items:
|
|
properties:
|
|
backend:
|
|
description: |-
|
|
Backend stores the status of the tunnel group backend,
|
|
mainly the ID of the backend
|
|
properties:
|
|
id:
|
|
description: ID is the unique identifier for this backend
|
|
type: string
|
|
type: object
|
|
id:
|
|
description: ID is the unique identifier for this route
|
|
type: string
|
|
match:
|
|
type: string
|
|
matchType:
|
|
type: string
|
|
uri:
|
|
description: URI is the URI for this route
|
|
type: string
|
|
type: object
|
|
type: array
|
|
uri:
|
|
description: URI is the URI for this edge
|
|
type: string
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|