Ztoperator API Reference
Packages:
ztoperator.kartverket.no/v1alpha1
Resource Types:
AuthPolicy
↩ ParentAuthPolicy is the Schema for the authpolicies API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | ztoperator.kartverket.no/v1alpha1 | true |
kind | string | AuthPolicy | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | AuthPolicySpec defines the desired state of AuthPolicy. | false |
status | object | AuthPolicyStatus defines the observed state of AuthPolicy. | false |
AuthPolicy.spec
↩ ParentAuthPolicySpec defines the desired state of AuthPolicy.
Name | Type | Description | Required |
---|---|---|---|
enabled | boolean | Whether to enable JWT validation.
If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience. | true |
selector | object | The Selector specifies which workload the defined auth policy should be applied to. | true |
wellKnownURI | string | WellKnownURI specifies the URi to the identity provider's discovery document (also known as well-known endpoint). | true |
acceptedResources | []string | AcceptedResources is used as a validation field following RFC8707. It defines accepted audience resource indicators in the JWT token. Each resource indicator must be a valid URI, and the indicator must be present as the | false |
audience | []string | Audience defines the accepted audience ( | false |
authRules | []object | AuthRules defines rules for allowing HTTP requests based on conditions that must be met based on JWT claims. API endpoints not covered by AuthRules and/or IgnoreAuthRules requires an authenticated JWT by default. | false |
autoLogin | object | AutoLogin specifies the required configuration needed to log in users. | false |
forwardJwt | boolean | If set to | false |
ignoreAuthRules | []object | IgnoreAuthRules defines request matchers for HTTP requests that do not require JWT authentication. API endpoints not covered by AuthRules or IgnoreAuthRules require an authenticated JWT by default. | false |
oAuthCredentials | object | OAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication. | false |
outputClaimToHeaders | []object | OutputClaimsToHeaders specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
If the claim is an object or array, it will be added to the header as a base64-encoded JSON string. | false |
AuthPolicy.spec.selector
↩ ParentThe Selector specifies which workload the defined auth policy should be applied to.
Name | Type | Description | Required |
---|---|---|---|
matchLabels | map[string]string | One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present. Validations: | false |
AuthPolicy.spec.authRules[index]
↩ ParentRequestAuthRule defines a rule for controlling access to HTTP requests using JWT authentication.
Name | Type | Description | Required |
---|---|---|---|
paths | []string | Paths specify a set of URI paths that this rule applies to.
Each path must be a valid URI path, starting with '/' and not ending with '/'. | true |
denyRedirect | boolean | DenyRedirect specifies whether a denied request should trigger auto-login (if configured) or not when it is denied due to missing or invalid authentication.
Defaults to false, meaning auto-login will be triggered (if configured). | false |
methods | []string | Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted. Allowed methods:
| false |
when | []object | When defines additional conditions based on JWT claims that must be met. The request is permitted if at least one of the specified conditions is satisfied. | false |
AuthPolicy.spec.authRules[index].when[index]
↩ ParentCondition represents a rule that evaluates JWT claims to determine access control.
This type allows defining conditions that check whether a specific claim in the JWT token contains one of the expected values.
If multiple conditions are specified, all must be met (AND logic) for the request to be allowed.
Name | Type | Description | Required |
---|---|---|---|
claim | string | Claim specifies the name of the JWT claim to check. | true |
values | []string | Values specifies a list of allowed values for the claim.
If the claim in the JWT contains any of these values (OR logic), the condition is met. | true |
AuthPolicy.spec.autoLogin
↩ ParentAutoLogin specifies the required configuration needed to log in users.
Name | Type | Description | Required |
---|---|---|---|
enabled | boolean | Whether to enable auto login.
If enabled, users accessing authenticated endpoints will be redirected to log in towards the configured identity provider. | true |
logoutPath | string | LogoutPath specifies which URI to redirect the user to when signing out.
This will end the session for the application, but not end the session towards the configured identity provider.
This feature will hopefully soon be available in later releases of Istio, ref. envoy/envoyproxy. | true |
redirectPath | string | RedirectPath specifies which path to redirect the user to after completing the OIDC flow. | true |
scopes | []string | Scopes specifies the OAuth2 scopes used during authorization code flow. | true |
loginPath | string | LoginPath specifies a list of URI paths that should trigger the auto-login behavior.
When a request matches any of these paths, the user will be redirected to log in if not already authenticated. | false |
AuthPolicy.spec.ignoreAuthRules[index]
↩ ParentRequestMatcher defines paths and methods to match incoming HTTP requests.
Name | Type | Description | Required |
---|---|---|---|
paths | []string | Paths specify a set of URI paths that this rule applies to.
Each path must be a valid URI path, starting with '/' and not ending with '/'. | true |
methods | []string | Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted. Allowed methods:
| false |
AuthPolicy.spec.oAuthCredentials
↩ ParentOAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication.
Name | Type | Description | Required |
---|---|---|---|
clientIDKey | string | ClientIDKey specifies the data key to access the client ID. | true |
clientSecretKey | string | ClientSecretKey specifies the data key to access the client secret. | true |
secretRef | string | SecretRef specifies the name of the kubernetes secret. | true |
AuthPolicy.spec.outputClaimToHeaders[index]
↩ ParentClaimToHeader specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
Name | Type | Description | Required |
---|---|---|---|
claim | string | Claim specifies the name of the claim in the JWT token that will be copied to the header. | true |
header | string | Header specifies the name of the HTTP header to which the claim value will be copied. | true |
AuthPolicy.status
↩ ParentAuthPolicyStatus defines the observed state of AuthPolicy.
Name | Type | Description | Required |
---|---|---|---|
ready | boolean | true | |
conditions | []object | false | |
message | string | false | |
observedGeneration | integer | Format: int64 | false |
phase | string | false |
AuthPolicy.status.conditions[index]
↩ ParentCondition contains details for one aspect of the current state of this API Resource.
Name | Type | Description | Required |
---|---|---|---|
lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
type | string | type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) | true |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |