andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/airlock/microgateway/4.3.1/crds/oidcrelyingparties.microgat...

225 lines
12 KiB
YAML
Raw Blame History

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
labels:
app.kubernetes.io/name: airlock-microgateway-operator
app.kubernetes.io/version: 4.3.1
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
names:
categories:
- airlock-microgateway
kind: OIDCRelyingParty
listKind: OIDCRelyingPartyList
plural: oidcrelyingparties
singular: oidcrelyingparty
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
{{% notice warning %}} The OIDC feature is currently in an experimental state.
We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- The state parameter is guessable.
- Sessions are always shared across all Microgateway Engines using the same Redis instance.
I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
{{% /notice %}}
{{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the OIDC Relying Party configuration.
properties:
clientID:
description: ClientID specifies the OIDCRelyingParty "client_id".
minLength: 1
type: string
credentials:
description: Credentials used for client authentication on the back-channel with the authorization server.
properties:
clientSecret:
description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
properties:
method:
default: BasicAuth
description: Method specifies in which format the client secret is sent with the authorization request.
enum:
- BasicAuth
- FormURLEncoded
type: string
secretRef:
description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
required:
- secretRef
type: object
required:
- clientSecret
type: object
oidcProviderRef:
description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
properties:
name:
description: Name of the resource
minLength: 1
type: string
required:
- name
type: object
pathMapping:
description: PathMapping configures the action matching.
properties:
logoutPath:
description: LogoutPath specifies which request paths should initiate a logout.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
redirectPath:
description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint.
properties:
matcher:
description: StringMatcher defines the way to match a string.
properties:
contains:
description: |-
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
exact:
description: |-
Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
ignoreCase:
default: false
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
type: boolean
prefix:
description: |-
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
regex:
description: |-
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
suffix:
description: |-
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
minLength: 1
type: string
type: object
required:
- matcher
type: object
required:
- logoutPath
- redirectPath
type: object
redirectURI:
description: |-
RedirectURI configures the "redirect_uri" parameter included in the authorization request.
May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'.
minLength: 1
type: string
required:
- clientID
- credentials
- oidcProviderRef
- pathMapping
- redirectURI
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
Reference in New Issue View Git Blame Copy Permalink