Skip to main content

Ztoperator API Reference

Packages:

ztoperator.kartverket.no/v1alpha1

Resource Types:

AuthPolicy

↩ Parent

AuthPolicy is the Schema for the authpolicies API.

NameTypeDescriptionRequired
apiVersionstringztoperator.kartverket.no/v1alpha1true
kindstringAuthPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

AuthPolicySpec defines the desired state of AuthPolicy.

false
statusobject

AuthPolicyStatus defines the observed state of AuthPolicy.

false

AuthPolicy.spec

↩ Parent

AuthPolicySpec defines the desired state of AuthPolicy.

NameTypeDescriptionRequired
enabledboolean

Whether to enable JWT validation. If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience.

true
selectorobject

The Selector specifies which workload the defined auth policy should be applied to.

true
wellKnownURIstring

WellKnownURI specifies the URi to the identity provider's discovery document (also known as well-known endpoint).

true
acceptedResources[]string

AcceptedResources is used as a validation field following RFC8707. It defines accepted audience resource indicators in the JWT token.

Each resource indicator must be a valid URI, and the indicator must be present as the aud claim in the JWT token.

false
audience[]string

Audience defines the accepted audience (aud) values in the JWT. At least one of the listed audience values must be present in the token's aud claim for validation to succeed.

false
authRules[]object

AuthRules defines rules for allowing HTTP requests based on conditions that must be met based on JWT claims.

API endpoints not covered by AuthRules and/or IgnoreAuthRules requires an authenticated JWT by default.

false
autoLoginobject

AutoLogin specifies the required configuration needed to log in users.

false
forwardJwtboolean

If set to true, the original token will be kept for the upstream request. Defaults to true.

false
ignoreAuthRules[]object

IgnoreAuthRules defines request matchers for HTTP requests that do not require JWT authentication.

API endpoints not covered by AuthRules or IgnoreAuthRules require an authenticated JWT by default.

false
oAuthCredentialsobject

OAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication.

false
outputClaimToHeaders[]object

OutputClaimsToHeaders specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well. If the claim is an object or array, it will be added to the header as a base64-encoded JSON string.

false

AuthPolicy.spec.selector

↩ Parent

The Selector specifies which workload the defined auth policy should be applied to.

NameTypeDescriptionRequired
matchLabelsmap[string]string

One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.


Validations:

  • self.all(key, !key.contains('*')): wildcard not allowed in label key match
  • self.all(key, key.size() != 0): key must not be empty

    		• false

    AuthPolicy.spec.authRules[index]

    ↩ Parent

    RequestAuthRule defines a rule for controlling access to HTTP requests using JWT authentication.

    NameTypeDescriptionRequired
    paths[]string

    Paths specify a set of URI paths that this rule applies to. Each path must be a valid URI path, starting with '/' and not ending with '/'.

    		true
    denyRedirectboolean

    DenyRedirect specifies whether a denied request should trigger auto-login (if configured) or not when it is denied due to missing or invalid authentication. Defaults to false, meaning auto-login will be triggered (if configured).

    		false
    methods[]string

    Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted.

    Allowed methods:

    • GET
    • POST
    • PUT
    • PATCH
    • DELETE
    • HEAD
    • OPTIONS
    • TRACE
    • CONNECT
    		false
    when[]object

    When defines additional conditions based on JWT claims that must be met.

    The request is permitted if at least one of the specified conditions is satisfied.

    		false

    AuthPolicy.spec.authRules[index].when[index]

    ↩ Parent

    Condition represents a rule that evaluates JWT claims to determine access control.

    This type allows defining conditions that check whether a specific claim in the JWT token contains one of the expected values.

    If multiple conditions are specified, all must be met (AND logic) for the request to be allowed.

    NameTypeDescriptionRequired
    claimstring

    Claim specifies the name of the JWT claim to check.

    		true
    values[]string

    Values specifies a list of allowed values for the claim. If the claim in the JWT contains any of these values (OR logic), the condition is met.

    		true

    AuthPolicy.spec.autoLogin

    ↩ Parent

    AutoLogin specifies the required configuration needed to log in users.

    NameTypeDescriptionRequired
    enabledboolean

    Whether to enable auto login. If enabled, users accessing authenticated endpoints will be redirected to log in towards the configured identity provider.

    		true
    logoutPathstring

    LogoutPath specifies which URI to redirect the user to when signing out. This will end the session for the application, but not end the session towards the configured identity provider. This feature will hopefully soon be available in later releases of Istio, ref. envoy/envoyproxy.

    		true
    redirectPathstring

    RedirectPath specifies which path to redirect the user to after completing the OIDC flow.

    		true
    scopes[]string

    Scopes specifies the OAuth2 scopes used during authorization code flow.

    		true
    loginPathstring

    LoginPath specifies a list of URI paths that should trigger the auto-login behavior. When a request matches any of these paths, the user will be redirected to log in if not already authenticated.

    		false

    AuthPolicy.spec.ignoreAuthRules[index]

    ↩ Parent

    RequestMatcher defines paths and methods to match incoming HTTP requests.

    NameTypeDescriptionRequired
    paths[]string

    Paths specify a set of URI paths that this rule applies to. Each path must be a valid URI path, starting with '/' and not ending with '/'.

    		true
    methods[]string

    Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted.

    Allowed methods:

    • GET
    • POST
    • PUT
    • PATCH
    • DELETE
    • HEAD
    • OPTIONS
    • TRACE
    • CONNECT
    		false

    AuthPolicy.spec.oAuthCredentials

    ↩ Parent

    OAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication.

    NameTypeDescriptionRequired
    clientIDKeystring

    ClientIDKey specifies the data key to access the client ID.

    		true
    clientSecretKeystring

    ClientSecretKey specifies the data key to access the client secret.

    		true
    secretRefstring

    SecretRef specifies the name of the kubernetes secret.

    		true

    AuthPolicy.spec.outputClaimToHeaders[index]

    ↩ Parent

    ClaimToHeader specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.

    NameTypeDescriptionRequired
    claimstring

    Claim specifies the name of the claim in the JWT token that will be copied to the header.

    		true
    headerstring

    Header specifies the name of the HTTP header to which the claim value will be copied.

    		true

    AuthPolicy.status

    ↩ Parent

    AuthPolicyStatus defines the observed state of AuthPolicy.

    NameTypeDescriptionRequired
    readyboolean
    		true
    conditions[]object
    		false
    messagestring
    		false
    observedGenerationinteger

    Format: int64

    		false
    phasestring
    		false

    AuthPolicy.status.conditions[index]

    ↩ Parent

    Condition contains details for one aspect of the current state of this API Resource.

    NameTypeDescriptionRequired
    lastTransitionTimestring

    lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


    Format: date-time

    		true
    messagestring

    message is a human readable message indicating details about the transition. This may be an empty string.

    		true
    reasonstring

    reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

    		true
    statusenum

    status of the condition, one of True, False, Unknown.


    Enum: True, False, Unknown

    		true
    typestring

    type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

    		true
    observedGenerationinteger

    observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


    Format: int64
    Minimum: 0

    		false