AppIDClaim is the name of the claim holding the identifier of the application. This field is sometimes named `client_id`.

ForwardHeaders specifies additional headers to forward with the request.

JWKSFile contains the JWKS file content for JWT verification. Mutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers.

JWKSURL is the URL to fetch the JWKS for JWT verification. Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers. Deprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation.

PublicKey is the PEM-encoded public key for JWT verification. Mutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers.

SigningSecretName is the name of the Kubernetes Secret containing the signing secret. The secret must be of type Opaque and contain a key named 'value'. Mutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers.

StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request.

TokenNameClaim is the name of the claim holding the name of the token. This name, if provided, will be used in the metrics.

TokenQueryKey specifies the query parameter name for the JWT token.

Attribute is the LDAP object attribute used to form a bind DN when sending bind queries. The bind DN is formed as <Attribute>=<Username>,<BaseDN>.

BaseDN is the base domain name that should be used for bind and search queries.

BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode. If empty, an anonymous bind will be done.

BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN. The secret must contain a key named 'password'.

CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority.

InsecureSkipVerify controls whether the server's certificate chain and host name is verified.

SearchFilter is used to filter LDAP search queries. Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s)) %s can be used as a placeholder for the username.

StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server.

URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port.

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This may be an empty string.

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase.