apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.17.1 name: apiauths.hub.traefik.io spec: group: hub.traefik.io names: kind: APIAuth listKind: APIAuthList plural: apiauths singular: apiauth scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: APIAuth defines the authentication configuration for APIs. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: The desired behavior of this APIAuth. properties: apiKey: description: APIKey configures API key authentication. type: object x-kubernetes-preserve-unknown-fields: true isDefault: description: |- IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace. Only one APIAuth per namespace should have isDefault set to true. type: boolean jwt: description: JWT configures JWT authentication. properties: appIdClaim: description: |- AppIDClaim is the name of the claim holding the identifier of the application. This field is sometimes named `client_id`. type: string forwardHeaders: additionalProperties: type: string description: ForwardHeaders specifies additional headers to forward with the request. type: object jwksFile: description: |- JWKSFile contains the JWKS file content for JWT verification. Mutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers. type: string jwksUrl: description: |- JWKSURL is the URL to fetch the JWKS for JWT verification. Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers. Deprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation. type: string x-kubernetes-validations: - message: must be a valid HTTPS URL rule: isURL(self) && self.startsWith('https://') publicKey: description: |- PublicKey is the PEM-encoded public key for JWT verification. Mutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers. type: string signingSecretName: description: |- SigningSecretName is the name of the Kubernetes Secret containing the signing secret. The secret must be of type Opaque and contain a key named 'value'. Mutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers. maxLength: 253 type: string stripAuthorizationHeader: description: StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request. type: boolean tokenNameClaim: description: |- TokenNameClaim is the name of the claim holding the name of the token. This name, if provided, will be used in the metrics. type: string tokenQueryKey: description: TokenQueryKey specifies the query parameter name for the JWT token. type: string trustedIssuers: description: |- TrustedIssuers defines multiple JWKS providers with optional issuer validation. Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and JWKSURL. items: description: TrustedIssuer represents a trusted JWT issuer with its associated JWKS endpoint for token verification. properties: issuer: description: |- Issuer is the expected value of the "iss" claim. If specified, tokens must have this exact issuer to be validated against this JWKS. The issuer value must match exactly, including trailing slashes and URL encoding. If omitted, this JWKS acts as a fallback for any issuer. type: string jwksUrl: description: JWKSURL is the URL to fetch the JWKS from. type: string x-kubernetes-validations: - message: must be a valid HTTPS URL rule: isURL(self) && self.startsWith('https://') required: - jwksUrl type: object maxItems: 100 minItems: 1 type: array required: - appIdClaim type: object x-kubernetes-validations: - message: exactly one of signingSecretName, publicKey, jwksFile, jwksUrl, or trustedIssuers must be specified rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), has(self.jwksUrl), has(self.trustedIssuers)].filter(x, x).size() == 1' - message: trustedIssuers must not be empty when specified rule: '!has(self.trustedIssuers) || size(self.trustedIssuers) > 0' - message: only one entry in trustedIssuers may omit the issuer field rule: '!has(self.trustedIssuers) || self.trustedIssuers.filter(x, !has(x.issuer) || x.issuer == "").size() <= 1' ldap: description: LDAP configures LDAP authentication. properties: attribute: default: cn description: |- Attribute is the LDAP object attribute used to form a bind DN when sending bind queries. The bind DN is formed as =,. type: string baseDn: description: BaseDN is the base domain name that should be used for bind and search queries. type: string bindDn: description: |- BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode. If empty, an anonymous bind will be done. type: string bindPasswordSecretName: description: |- BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN. The secret must contain a key named 'password'. maxLength: 253 type: string certificateAuthority: description: |- CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority. type: string insecureSkipVerify: description: InsecureSkipVerify controls whether the server's certificate chain and host name is verified. type: boolean searchFilter: description: |- SearchFilter is used to filter LDAP search queries. Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s)) %s can be used as a placeholder for the username. type: string startTls: description: StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server. type: boolean url: description: URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port. type: string x-kubernetes-validations: - message: must be a valid LDAP URL rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://')) required: - baseDn - url type: object required: - isDefault type: object x-kubernetes-validations: - message: exactly one authentication method must be specified rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() == 1' status: description: The current status of this APIAuth. properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array hash: description: Hash is a hash representing the APIAuth. type: string syncedAt: format: date-time type: string version: type: string type: object type: object served: true storage: true subresources: status: {}