941 lines
49 KiB
YAML
941 lines
49 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.9.2
|
|
creationTimestamp: null
|
|
name: ngrokmodulesets.ingress.k8s.ngrok.com
|
|
spec:
|
|
group: ingress.k8s.ngrok.com
|
|
names:
|
|
kind: NgrokModuleSet
|
|
listKind: NgrokModuleSetList
|
|
plural: ngrokmodulesets
|
|
singular: ngrokmoduleset
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: NgrokModuleSet is the Schema for the ngrokmodules API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
modules:
|
|
properties:
|
|
circuitBreaker:
|
|
description: CircuitBreaker configuration for this module set
|
|
properties:
|
|
errorThresholdPercentage:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: Error threshold percentage should be between 0 -
|
|
1.0, not 0-100.0
|
|
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
x-kubernetes-int-or-string: true
|
|
numBuckets:
|
|
description: Integer number of buckets into which metrics are
|
|
retained. Max 128.
|
|
format: int32
|
|
maximum: 128
|
|
minimum: 1
|
|
type: integer
|
|
rollingWindow:
|
|
description: Statistical rolling window duration that metrics
|
|
are retained for.
|
|
format: duration
|
|
type: string
|
|
trippedDuration:
|
|
description: Duration after which the circuit is tripped to wait
|
|
before re-evaluating upstream health
|
|
format: duration
|
|
type: string
|
|
volumeThreshold:
|
|
description: Integer number of requests in a rolling window that
|
|
will trip the circuit. Helpful if traffic volume is low.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
compression:
|
|
description: Compression configuration for this module set
|
|
properties:
|
|
enabled:
|
|
description: Enabled is whether or not to enable compression for
|
|
this endpoint
|
|
type: boolean
|
|
type: object
|
|
headers:
|
|
description: Header configuration for this module set
|
|
properties:
|
|
request:
|
|
description: Request headers are the request headers module configuration
|
|
or null
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
type: string
|
|
description: a map of header key to header value that will
|
|
be injected into the HTTP Request before being sent to the
|
|
upstream application server
|
|
type: object
|
|
remove:
|
|
description: a list of header names that will be removed from
|
|
the HTTP Request before being sent to the upstream application
|
|
server
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
response:
|
|
description: Response headers are the response headers module
|
|
configuration or null
|
|
properties:
|
|
add:
|
|
additionalProperties:
|
|
type: string
|
|
description: a map of header key to header value that will
|
|
be injected into the HTTP Response returned to the HTTP
|
|
client
|
|
type: object
|
|
remove:
|
|
description: a list of header names that will be removed from
|
|
the HTTP Response returned to the HTTP client
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
ipRestriction:
|
|
description: IPRestriction configuration for this module set
|
|
properties:
|
|
policies:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
oauth:
|
|
description: OAuth configuration for this module set
|
|
properties:
|
|
amazon:
|
|
description: configuration for using amazon as the identity provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
facebook:
|
|
description: configuration for using facebook as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
github:
|
|
description: configuration for using github as the identity provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
organizations:
|
|
description: a list of github org identifiers. users who are
|
|
members of any of the listed organizations will be allowed
|
|
access. identifiers should be the organization's 'slug'
|
|
items:
|
|
type: string
|
|
type: array
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
teams:
|
|
description: a list of github teams identifiers. users will
|
|
be allowed access to the endpoint if they are a member of
|
|
any of these teams. identifiers should be in the 'slug'
|
|
format qualified with the org name, e.g. org-name/team-name
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
gitlab:
|
|
description: configuration for using gitlab as the identity provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
google:
|
|
description: configuration for using google as the identity provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
linkedin:
|
|
description: configuration for using linkedin as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
microsoft:
|
|
description: configuration for using microsoft as the identity
|
|
provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
twitch:
|
|
description: configuration for using twitch as the identity provider
|
|
properties:
|
|
authCheckInterval:
|
|
description: Duration after which ngrok guarantees it will
|
|
refresh user state from the identity provider and recheck
|
|
whether the user is still authorized to access the endpoint.
|
|
This is the preferred tunable to use to enforce a minimum
|
|
amount of time after which a revoked user will no longer
|
|
be able to access the resource.
|
|
format: duration
|
|
type: string
|
|
clientId:
|
|
description: the OAuth app client ID. retrieve it from the
|
|
identity provider's dashboard where you created your own
|
|
OAuth app. optional. if unspecified, ngrok will use its
|
|
own managed oauth application which has additional restrictions.
|
|
see the OAuth module docs for more details. if present,
|
|
clientSecret must be present as well.
|
|
type: string
|
|
clientSecret:
|
|
description: the OAuth app client secret. retrieve if from
|
|
the identity provider's dashboard where you created your
|
|
own OAuth app. optional, see all of the caveats in the docs
|
|
for clientId.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
emailAddresses:
|
|
description: a list of email addresses of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
emailDomains:
|
|
description: a list of email domains of users authenticated
|
|
by identity provider who are allowed access to the endpoint
|
|
items:
|
|
type: string
|
|
type: array
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user
|
|
has not accessed the endpoint, their session will time out
|
|
and they will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: Integer number of seconds of the maximum duration
|
|
of an authenticated session. After this period is exceeded,
|
|
a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS
|
|
requests. necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: a list of provider-specific OAuth scopes with
|
|
the permissions your OAuth app would like to ask for. these
|
|
may not be set if you are using the ngrok-managed oauth
|
|
app (i.e. you must pass both client_id and client_secret
|
|
to set scopes)
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
oidc:
|
|
description: OIDC configuration for this module set
|
|
properties:
|
|
clientId:
|
|
description: The OIDC app's client ID and OIDC audience.
|
|
type: string
|
|
clientSecret:
|
|
description: The OIDC app's client secret.
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user has
|
|
not accessed the endpoint, their session will time out and they
|
|
will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
issuer:
|
|
description: URL of the OIDC "OpenID provider". This is the base
|
|
URL used for discovery.
|
|
type: string
|
|
maximumDuration:
|
|
description: The maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS requests.
|
|
necessary if you are supporting CORS.
|
|
type: boolean
|
|
scopes:
|
|
description: The set of scopes to request from the OIDC identity
|
|
provider.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
policy:
|
|
description: Policy configuration for this module set
|
|
properties:
|
|
enabled:
|
|
description: Determines if the rule will be applied to traffic
|
|
type: boolean
|
|
inbound:
|
|
description: Inbound traffic rule
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions
|
|
items:
|
|
properties:
|
|
config:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: Name
|
|
type: string
|
|
type: object
|
|
type: array
|
|
outbound:
|
|
description: Outbound traffic rule
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions
|
|
items:
|
|
properties:
|
|
config:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: Name
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
saml:
|
|
description: SAML configuration for this module set
|
|
properties:
|
|
allowIdpInitiated:
|
|
description: If true, the IdP may initiate a login directly (e.g.
|
|
the user does not need to visit the endpoint first and then
|
|
be redirected). The IdP should set the RelayState parameter
|
|
to the target URL of the resource they want the user to be redirected
|
|
to after the SAML login assertion has been processed.
|
|
type: boolean
|
|
authorizedGroups:
|
|
description: If present, only users who are a member of one of
|
|
the listed groups may access the target endpoint.
|
|
items:
|
|
type: string
|
|
type: array
|
|
cookiePrefix:
|
|
description: the prefix of the session cookie that ngrok sets
|
|
on the http client to cache authentication. default is 'ngrok.'
|
|
type: string
|
|
forceAuthn:
|
|
description: If true, indicates that whenever we redirect a user
|
|
to the IdP for authentication that the IdP must prompt the user
|
|
for authentication credentials even if the user already has
|
|
a valid session with the IdP.
|
|
type: boolean
|
|
idpMetadata:
|
|
description: The full XML IdP EntityDescriptor. Your IdP may provide
|
|
this to you as a a file to download or as a URL.
|
|
type: string
|
|
inactivityTimeout:
|
|
description: Duration of inactivity after which if the user has
|
|
not accessed the endpoint, their session will time out and they
|
|
will be forced to reauthenticate.
|
|
format: duration
|
|
type: string
|
|
maximumDuration:
|
|
description: The maximum duration of an authenticated session.
|
|
After this period is exceeded, a user must reauthenticate.
|
|
format: duration
|
|
type: string
|
|
nameidFormat:
|
|
description: Defines the name identifier format the SP expects
|
|
the IdP to use in its assertions to identify subjects. If unspecified,
|
|
a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
|
|
will be used. A subset of the allowed values enumerated by the
|
|
SAML specification are supported.
|
|
type: string
|
|
optionsPassthrough:
|
|
description: Do not enforce authentication on HTTP OPTIONS requests.
|
|
necessary if you are supporting CORS.
|
|
type: boolean
|
|
type: object
|
|
tlsTermination:
|
|
description: TLSTermination configuration for this module set
|
|
properties:
|
|
minVersion:
|
|
description: MinVersion is the minimum TLS version to allow for
|
|
connections to the edge
|
|
type: string
|
|
type: object
|
|
webhookVerification:
|
|
description: WebhookVerification configuration for this module set
|
|
properties:
|
|
provider:
|
|
description: a string indicating which webhook provider will be
|
|
sending webhooks to this endpoint. Value must be one of the
|
|
supported providers defined at https://ngrok.com/docs/http/webhook-verification/#supported-providers
|
|
type: string
|
|
secret:
|
|
description: SecretRef is a reference to a secret containing the
|
|
secret used to validate requests from the given provider. All
|
|
providers except AWS SNS require a secret
|
|
properties:
|
|
key:
|
|
description: Key in the secret to use
|
|
type: string
|
|
name:
|
|
description: Name of the Kubernetes secret
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|