{ "description": "APIAuth defines the authentication configuration for APIs.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "The desired behavior of this APIAuth.", "properties": { "apiKey": { "description": "APIKey configures API key authentication.", "type": [ "object", "null" ], "x-kubernetes-preserve-unknown-fields": true }, "isDefault": { "description": "IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace.\nOnly one APIAuth per namespace should have isDefault set to true.", "type": "boolean" }, "jwt": { "additionalProperties": false, "description": "JWT configures JWT authentication.", "properties": { "appIdClaim": { "description": "AppIDClaim is the name of the claim holding the identifier of the application.\nThis field is sometimes named `client_id`.", "type": "string" }, "forwardHeaders": { "additionalProperties": { "type": "string" }, "description": "ForwardHeaders specifies additional headers to forward with the request.", "type": [ "object", "null" ] }, "jwksFile": { "description": "JWKSFile contains the JWKS file content for JWT verification.\nMutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers.", "type": [ "string", "null" ] }, "jwksUrl": { "description": "JWKSURL is the URL to fetch the JWKS for JWT verification.\nMutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers.\nDeprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation.", "type": [ "string", "null" ], "x-kubernetes-validations": [ { "message": "must be a valid HTTPS URL", "rule": "isURL(self) \u0026\u0026 self.startsWith('https://')" } ] }, "publicKey": { "description": "PublicKey is the PEM-encoded public key for JWT verification.\nMutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers.", "type": [ "string", "null" ] }, "signingSecretName": { "description": "SigningSecretName is the name of the Kubernetes Secret containing the signing secret.\nThe secret must be of type Opaque and contain a key named 'value'.\nMutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers.", "maxLength": 253, "type": [ "string", "null" ] }, "stripAuthorizationHeader": { "description": "StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request.", "type": [ "boolean", "null" ] }, "tokenNameClaim": { "description": "TokenNameClaim is the name of the claim holding the name of the token.\nThis name, if provided, will be used in the metrics.", "type": [ "string", "null" ] }, "tokenQueryKey": { "description": "TokenQueryKey specifies the query parameter name for the JWT token.", "type": [ "string", "null" ] }, "trustedIssuers": { "description": "TrustedIssuers defines multiple JWKS providers with optional issuer validation.\nMutually exclusive with SigningSecretName, PublicKey, JWKSFile, and JWKSURL.", "items": { "additionalProperties": false, "description": "TrustedIssuer represents a trusted JWT issuer with its associated JWKS endpoint for token verification.", "properties": { "issuer": { "description": "Issuer is the expected value of the \"iss\" claim.\nIf specified, tokens must have this exact issuer to be validated against this JWKS.\nThe issuer value must match exactly, including trailing slashes and URL encoding.\nIf omitted, this JWKS acts as a fallback for any issuer.", "type": [ "string", "null" ] }, "jwksUrl": { "description": "JWKSURL is the URL to fetch the JWKS from.", "type": "string", "x-kubernetes-validations": [ { "message": "must be a valid HTTPS URL", "rule": "isURL(self) \u0026\u0026 self.startsWith('https://')" } ] } }, "required": [ "jwksUrl" ], "type": "object" }, "maxItems": 100, "minItems": 1, "type": [ "array", "null" ] } }, "required": [ "appIdClaim" ], "type": [ "object", "null" ], "x-kubernetes-validations": [ { "message": "exactly one of signingSecretName, publicKey, jwksFile, jwksUrl, or trustedIssuers must be specified", "rule": "[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), has(self.jwksUrl), has(self.trustedIssuers)].filter(x, x).size() == 1" }, { "message": "trustedIssuers must not be empty when specified", "rule": "!has(self.trustedIssuers) || size(self.trustedIssuers) \u003e 0" }, { "message": "only one entry in trustedIssuers may omit the issuer field", "rule": "!has(self.trustedIssuers) || self.trustedIssuers.filter(x, !has(x.issuer) || x.issuer == \"\").size() \u003c= 1" } ] }, "ldap": { "additionalProperties": false, "description": "LDAP configures LDAP authentication.", "properties": { "attribute": { "default": "cn", "description": "Attribute is the LDAP object attribute used to form a bind DN when sending bind queries.\nThe bind DN is formed as \u003cAttribute\u003e=\u003cUsername\u003e,\u003cBaseDN\u003e.", "type": [ "string", "null" ] }, "baseDn": { "description": "BaseDN is the base domain name that should be used for bind and search queries.", "type": "string" }, "bindDn": { "description": "BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode.\nIf empty, an anonymous bind will be done.", "type": [ "string", "null" ] }, "bindPasswordSecretName": { "description": "BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN.\nThe secret must contain a key named 'password'.", "maxLength": 253, "type": [ "string", "null" ] }, "certificateAuthority": { "description": "CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the\nconnection uses TLS but that the certificate was signed by a custom Certificate Authority.", "type": [ "string", "null" ] }, "insecureSkipVerify": { "description": "InsecureSkipVerify controls whether the server's certificate chain and host name is verified.", "type": [ "boolean", "null" ] }, "searchFilter": { "description": "SearchFilter is used to filter LDAP search queries.\nExample: (\u0026(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))\n%s can be used as a placeholder for the username.", "type": [ "string", "null" ] }, "startTls": { "description": "StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server.", "type": [ "boolean", "null" ] }, "url": { "description": "URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port.", "type": "string", "x-kubernetes-validations": [ { "message": "must be a valid LDAP URL", "rule": "isURL(self) \u0026\u0026 (self.startsWith('ldap://') || self.startsWith('ldaps://'))" } ] } }, "required": [ "baseDn", "url" ], "type": [ "object", "null" ] } }, "required": [ "isDefault" ], "type": [ "object", "null" ], "x-kubernetes-validations": [ { "message": "exactly one authentication method must be specified", "rule": "[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() == 1" } ] }, "status": { "additionalProperties": false, "description": "The current status of this APIAuth.", "properties": { "conditions": { "items": { "additionalProperties": false, "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": [ "integer", "null" ] }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object" }, "type": [ "array", "null" ] }, "hash": { "description": "Hash is a hash representing the APIAuth.", "type": [ "string", "null" ] }, "syncedAt": { "format": "date-time", "type": [ "string", "null" ] }, "version": { "type": [ "string", "null" ] } }, "type": [ "object", "null" ] } }, "type": "object" }