--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.17.1 name: apiauths.hub.traefik.io spec: group: hub.traefik.io names: kind: APIAuth listKind: APIAuthList plural: apiauths singular: apiauth scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: APIAuth defines the authentication configuration for APIs. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: The desired behavior of this APIAuth. properties: apiKey: description: APIKey configures API key authentication. type: object x-kubernetes-preserve-unknown-fields: true isDefault: description: |- IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace. Only one APIAuth per namespace should have isDefault set to true. type: boolean jwt: description: JWT configures JWT authentication. properties: appIdClaim: description: |- AppIDClaim is the name of the claim holding the identifier of the application. This field is sometimes named `client_id`. type: string forwardHeaders: additionalProperties: type: string description: ForwardHeaders specifies additional headers to forward with the request. type: object jwksFile: description: JWKSFile contains the JWKS file content for JWT verification. type: string jwksUrl: description: JWKSURL is the URL to fetch the JWKS for JWT verification. type: string x-kubernetes-validations: - message: must be a valid URL rule: isURL(self) publicKey: description: PublicKey is the PEM-encoded public key for JWT verification. type: string signingSecretName: description: |- SigningSecretName is the name of the Kubernetes Secret containing the signing secret. The secret must be of type Opaque and contain a key named 'value'. maxLength: 253 type: string stripAuthorizationHeader: description: StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request. type: boolean tokenNameClaim: description: |- TokenNameClaim is the name of the claim holding the name of the token. This name, if provided, will be used in the metrics. type: string tokenQueryKey: description: TokenQueryKey specifies the query parameter name for the JWT token. type: string required: - appIdClaim type: object x-kubernetes-validations: - message: exactly one of signingSecretName, publicKey, jwksFile, or jwksUrl must be specified rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), has(self.jwksUrl)].filter(x, x).size() == 1' ldap: description: LDAP configures LDAP authentication. properties: attribute: default: cn description: |- Attribute is the LDAP object attribute used to form a bind DN when sending bind queries. The bind DN is formed as =,. type: string baseDn: description: BaseDN is the base domain name that should be used for bind and search queries. type: string bindDn: description: |- BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode. If empty, an anonymous bind will be done. type: string bindPasswordSecretName: description: |- BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN. The secret must contain a key named 'password'. maxLength: 253 type: string certificateAuthority: description: |- CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority. type: string insecureSkipVerify: description: InsecureSkipVerify controls whether the server's certificate chain and host name is verified. type: boolean searchFilter: description: |- SearchFilter is used to filter LDAP search queries. Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s)) %s can be used as a placeholder for the username. type: string startTls: description: StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server. type: boolean url: description: URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port. type: string x-kubernetes-validations: - message: must be a valid LDAP URL rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://')) required: - baseDn - url type: object required: - isDefault type: object x-kubernetes-validations: - message: exactly one authentication method must be specified rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() == 1' status: description: The current status of this APIAuth. properties: hash: description: Hash is a hash representing the APIAuth. type: string syncedAt: format: date-time type: string version: type: string type: object type: object served: true storage: true