alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests Actions Activity
Files
1ca1b591abd5483445e7a909f0a5afdfc904c655
infrastructure/clusters/cl01tl/manifests/traefik/CustomResourceDefinition-apiauths.hub.traefik.io.yaml
gitea-bot 322a762179 Automated Manifest Update (#2728) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2728
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
2025-12-20 00:51:01 +00:00

264 lines
14 KiB
YAML
Raw Blame History

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: apiauths.hub.traefik.io
spec:
group: hub.traefik.io
names:
kind: APIAuth
listKind: APIAuthList
plural: apiauths
singular: apiauth
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: APIAuth defines the authentication configuration for APIs.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: The desired behavior of this APIAuth.
properties:
apiKey:
description: APIKey configures API key authentication.
type: object
x-kubernetes-preserve-unknown-fields: true
isDefault:
description: |-
IsDefault specifies if this APIAuth should be used as the default API authentication method for the namespace.
Only one APIAuth per namespace should have isDefault set to true.
type: boolean
jwt:
description: JWT configures JWT authentication.
properties:
appIdClaim:
description: |-
AppIDClaim is the name of the claim holding the identifier of the application.
This field is sometimes named `client_id`.
type: string
forwardHeaders:
additionalProperties:
type: string
description: ForwardHeaders specifies additional headers to forward with the request.
type: object
jwksFile:
description: |-
JWKSFile contains the JWKS file content for JWT verification.
Mutually exclusive with SigningSecretName, PublicKey, JWKSURL, and TrustedIssuers.
type: string
jwksUrl:
description: |-
JWKSURL is the URL to fetch the JWKS for JWT verification.
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and TrustedIssuers.
Deprecated: Use TrustedIssuers instead for more flexible JWKS configuration with issuer validation.
type: string
x-kubernetes-validations:
- message: must be a valid HTTPS URL
rule: isURL(self) && self.startsWith('https://')
publicKey:
description: |-
PublicKey is the PEM-encoded public key for JWT verification.
Mutually exclusive with SigningSecretName, JWKSFile, JWKSURL, and TrustedIssuers.
type: string
signingSecretName:
description: |-
SigningSecretName is the name of the Kubernetes Secret containing the signing secret.
The secret must be of type Opaque and contain a key named 'value'.
Mutually exclusive with PublicKey, JWKSFile, JWKSURL, and TrustedIssuers.
maxLength: 253
type: string
stripAuthorizationHeader:
description: StripAuthorizationHeader determines whether to strip the Authorization header before forwarding the request.
type: boolean
tokenNameClaim:
description: |-
TokenNameClaim is the name of the claim holding the name of the token.
This name, if provided, will be used in the metrics.
type: string
tokenQueryKey:
description: TokenQueryKey specifies the query parameter name for the JWT token.
type: string
trustedIssuers:
description: |-
TrustedIssuers defines multiple JWKS providers with optional issuer validation.
Mutually exclusive with SigningSecretName, PublicKey, JWKSFile, and JWKSURL.
items:
description: TrustedIssuer represents a trusted JWT issuer with its associated JWKS endpoint for token verification.
properties:
issuer:
description: |-
Issuer is the expected value of the "iss" claim.
If specified, tokens must have this exact issuer to be validated against this JWKS.
The issuer value must match exactly, including trailing slashes and URL encoding.
If omitted, this JWKS acts as a fallback for any issuer.
type: string
jwksUrl:
description: JWKSURL is the URL to fetch the JWKS from.
type: string
x-kubernetes-validations:
- message: must be a valid HTTPS URL
rule: isURL(self) && self.startsWith('https://')
required:
- jwksUrl
type: object
maxItems: 100
minItems: 1
type: array
required:
- appIdClaim
type: object
x-kubernetes-validations:
- message: exactly one of signingSecretName, publicKey, jwksFile, jwksUrl, or trustedIssuers must be specified
rule: '[has(self.signingSecretName), has(self.publicKey), has(self.jwksFile), has(self.jwksUrl), has(self.trustedIssuers)].filter(x, x).size() == 1'
- message: trustedIssuers must not be empty when specified
rule: '!has(self.trustedIssuers) || size(self.trustedIssuers) > 0'
- message: only one entry in trustedIssuers may omit the issuer field
rule: '!has(self.trustedIssuers) || self.trustedIssuers.filter(x, !has(x.issuer) || x.issuer == "").size() <= 1'
ldap:
description: LDAP configures LDAP authentication.
properties:
attribute:
default: cn
description: |-
Attribute is the LDAP object attribute used to form a bind DN when sending bind queries.
The bind DN is formed as <Attribute>=<Username>,<BaseDN>.
type: string
baseDn:
description: BaseDN is the base domain name that should be used for bind and search queries.
type: string
bindDn:
description: |-
BindDN is the domain name to bind to in order to authenticate to the LDAP server when running in search mode.
If empty, an anonymous bind will be done.
type: string
bindPasswordSecretName:
description: |-
BindPasswordSecretName is the name of the Kubernetes Secret containing the password for the bind DN.
The secret must contain a key named 'password'.
maxLength: 253
type: string
certificateAuthority:
description: |-
CertificateAuthority is a PEM-encoded certificate to use to establish a connection with the LDAP server if the
connection uses TLS but that the certificate was signed by a custom Certificate Authority.
type: string
insecureSkipVerify:
description: InsecureSkipVerify controls whether the server's certificate chain and host name is verified.
type: boolean
searchFilter:
description: |-
SearchFilter is used to filter LDAP search queries.
Example: (&(objectClass=inetOrgPerson)(gidNumber=500)(uid=%s))
%s can be used as a placeholder for the username.
type: string
startTls:
description: StartTLS instructs the middleware to issue a StartTLS request when initializing the connection with the LDAP server.
type: boolean
url:
description: URL is the URL of the LDAP server, including the protocol (ldap or ldaps) and the port.
type: string
x-kubernetes-validations:
- message: must be a valid LDAP URL
rule: isURL(self) && (self.startsWith('ldap://') || self.startsWith('ldaps://'))
required:
- baseDn
- url
type: object
required:
- isDefault
type: object
x-kubernetes-validations:
- message: exactly one authentication method must be specified
rule: '[has(self.apiKey), has(self.jwt), has(self.ldap)].filter(x, x).size() == 1'
status:
description: The current status of this APIAuth.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
hash:
description: Hash is a hash representing the APIAuth.
type: string
syncedAt:
format: date-time
type: string
version:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
Reference in New Issue View Git Blame Copy Permalink