From e308d8fa3281a87c322fe30eb28369f30e0718e5 Mon Sep 17 00:00:00 2001 From: Ariana W Date: Thu, 20 Jun 2024 15:23:24 -0400 Subject: [PATCH] Add kubebuilder validations in proto for extauth AuthConfig (#9481) * add maxLength * omg major :facepalm: : maxLength --> maxItems * test a CEL rule as well * ext-auth-service opaServer.Translate / ext-auth-service AuthConfig state * Revert "ext-auth-service opaServer.Translate / ext-auth-service AuthConfig state" This reverts commit c128fa8ac709c4b6f82603932ca136d23454fe3f. * add kubebuilder validations for extauth * make go-generate-apis fmt * changelog * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * PR comment; combine apr rules into one * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * move changelog * Adding changelog file to new location * Deleting changelog file from old location * Adding changelog file to new location * Deleting changelog file from old location * avoid changes to CRD using new DisableKubeMarkers flag from solo-kit / protoc-gen-openapi * codegen- presumably from solo-kit v0.35.1? * oops- committed local file * move changelog * use solo-kit release now (not branch) * bump solo-kit to v0.35.3, codegen --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: changelog-bot --- .../v1.18.0-beta1/authconfig-cel-rules.yaml | 6 ++ .../options/extauth/v1/extauth.proto.sk.md | 62 +++++++------- generate.go | 1 + go.mod | 4 +- go.sum | 8 +- ...enterprise.gloo.solo.io_v1_AuthConfig.yaml | 39 +++++++++ .../options/extauth/v1/extauth.proto | 77 +++++++++++++++++ .../options/extauth/v1/extauth.pb.go | 83 ++++++++++++++++++- 8 files changed, 240 insertions(+), 40 deletions(-) create mode 100644 changelog/v1.18.0-beta1/authconfig-cel-rules.yaml diff --git a/changelog/v1.18.0-beta1/authconfig-cel-rules.yaml b/changelog/v1.18.0-beta1/authconfig-cel-rules.yaml new file mode 100644 index 00000000000..7983c663b7e --- /dev/null +++ b/changelog/v1.18.0-beta1/authconfig-cel-rules.yaml @@ -0,0 +1,6 @@ +changelog: + - type: NEW_FEATURE + issueLink: https://github.com/solo-io/gloo-mesh-enterprise/issues/16010 + description: | + Adds pre-admission [validation rules](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules) to the `AuthConfig` CRD. + resolvesIssue: false diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md index f67c01e1a7d..1550ca181bc 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md @@ -164,7 +164,7 @@ format that will be included in the extauth snapshot. | ----- | ---- | ----------- | | `namespacedStatuses` | [.core.solo.io.NamespacedStatuses](../../../../../../../../../../solo-kit/api/v1/status.proto.sk/#namespacedstatuses) | NamespacedStatuses indicates the validation status of this resource. NamespacedStatuses is read-only by clients, and set by gloo during validation. | | `metadata` | [.core.solo.io.Metadata](../../../../../../../../../../solo-kit/api/v1/metadata.proto.sk/#metadata) | Metadata contains the object metadata for this resource. | -| `configs` | [[]enterprise.gloo.solo.io.AuthConfig.Config](../extauth.proto.sk/#config) | List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining `boolean_expr` below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response. | +| `configs` | [[]enterprise.gloo.solo.io.AuthConfig.Config](../extauth.proto.sk/#config) | List of auth configs to be checked for requests on a route referencing this auth config, By default, every config must be authorized for the entire request to be authorized. This behavior can be changed by defining names for each config and defining `boolean_expr` below. State is shared between successful requests on the chain, i.e., the headers returned from each successful auth service get appended into the final auth response. +kubebuilder:validation:Required +kubebuilder:validation:MinItems=1. | | `booleanExpr` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | How to handle processing of named configs within an auth config chain. An example config might be: `( basic1 || basic2 || (oidc1 && !oidc2) )` The boolean expression is evaluated left to right but honors parenthesis and short-circuiting. | | `failOnRedirect` | `bool` | How the service should handle a redirect response from an OIDC issuer. In the default false mode, the redirect will be considered a successful response, and the client will receive a 302 with a location header. If this is set to true, the client will instead receive a 401 unauthorized response. This is useful in cases where API calls are being made or other such occurrences where the client cannot handle the redirect. | @@ -195,7 +195,7 @@ format that will be included in the extauth snapshot. | Field | Type | Description | | ----- | ---- | ----------- | | `name` | [.google.protobuf.StringValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/string-value) | optional: used when defining complex boolean logic, if `boolean_expr` is defined below. Also used in logging. If omitted, an automatically generated name will be used (e.g. config_0, of the pattern 'config_$INDEX_IN_CHAIN'). In the case of plugin auth, this field is ignored in favor of the name assigned on the plugin config itself. | -| `basicAuth` | [.enterprise.gloo.solo.io.BasicAuth](../extauth.proto.sk/#basicauth) | Only one of `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | +| `basicAuth` | [.enterprise.gloo.solo.io.BasicAuth](../extauth.proto.sk/#basicauth) | +kubebuilder:validation:XValidation:rule="has(self.apr) ? !has(self.encryption) && !has(self.userList) : has(self.encryption) && has(self.userList)",message="Either apr or both encryption and userSource must be set; apr may not be set alongside either encryption or userSource". Only one of `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | | `oauth` | [.enterprise.gloo.solo.io.OAuth](../extauth.proto.sk/#oauth) | Only one of `oauth`, `basicAuth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | | `oauth2` | [.enterprise.gloo.solo.io.OAuth2](../extauth.proto.sk/#oauth2) | Only one of `oauth2`, `basicAuth`, `oauth`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | | `apiKeyAuth` | [.enterprise.gloo.solo.io.ApiKeyAuth](../extauth.proto.sk/#apikeyauth) | Only one of `apiKeyAuth`, `basicAuth`, `oauth`, `oauth2`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | @@ -203,7 +203,7 @@ format that will be included in the extauth snapshot. | `opaAuth` | [.enterprise.gloo.solo.io.OpaAuth](../extauth.proto.sk/#opaauth) | Only one of `opaAuth`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `ldap`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | | `ldap` | [.enterprise.gloo.solo.io.Ldap](../extauth.proto.sk/#ldap) | Only one of `ldap`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `jwt`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | | `jwt` | [.google.protobuf.Empty](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/empty) | This is a "dummy" extauth service which can be used to support multiple auth mechanisms with JWT authentication. If Jwt authentication is to be used in the [boolean expression](https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk/#authconfig) in an AuthConfig, you can use this auth config type to include Jwt as an Auth config. In addition, `allow_missing_or_failed_jwt` must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour. Only one of `jwt`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `passThroughAuth`, `hmacAuth`, or `opaServerAuth` can be set. | -| `passThroughAuth` | [.enterprise.gloo.solo.io.PassThroughAuth](../extauth.proto.sk/#passthroughauth) | Only one of `passThroughAuth`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `hmacAuth`, or `opaServerAuth` can be set. | +| `passThroughAuth` | [.enterprise.gloo.solo.io.PassThroughAuth](../extauth.proto.sk/#passthroughauth) | +kubebuilder:validation:XValidation:rule="has(self.grpc) || has(self.http)",message="Must specify grpc or http". Only one of `passThroughAuth`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `hmacAuth`, or `opaServerAuth` can be set. | | `hmacAuth` | [.enterprise.gloo.solo.io.HmacAuth](../extauth.proto.sk/#hmacauth) | Only one of `hmacAuth`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, or `opaServerAuth` can be set. | | `opaServerAuth` | [.enterprise.gloo.solo.io.OpaServerAuth](../extauth.proto.sk/#opaserverauth) | Only one of `opaServerAuth`, `basicAuth`, `oauth`, `oauth2`, `apiKeyAuth`, `pluginAuth`, `opaAuth`, `ldap`, `jwt`, `passThroughAuth`, or `hmacAuth` can be set. | @@ -424,7 +424,7 @@ This is used with custom auth servers. | `name` | `string` | Name of the plugin. | | `pluginFileName` | `string` | Name of the compiled plugin file. If not specified, Gloo Edge will look for an ".so" file with same name as the plugin. | | `exportedSymbolName` | `string` | Name of the exported symbol that implements the plugin interface in the plugin. If not specified, defaults to the name of the plugin. | -| `config` | [.google.protobuf.Struct](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/struct) | | +| `config` | [.google.protobuf.Struct](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/struct) | +kubebuilder:validation:Required. | @@ -601,7 +601,7 @@ It conforms to https://www.ietf.org/rfc/rfc2104.txt | Field | Type | Description | | ----- | ---- | ----------- | -| `secretRefs` | [.enterprise.gloo.solo.io.SecretRefList](../extauth.proto.sk/#secretreflist) | | +| `secretRefs` | [.enterprise.gloo.solo.io.SecretRefList](../extauth.proto.sk/#secretreflist) | +kubebuilder:validation:Required. | | `parametersInHeaders` | [.enterprise.gloo.solo.io.HmacParametersInHeaders](../extauth.proto.sk/#hmacparametersinheaders) | | @@ -619,7 +619,7 @@ It conforms to https://www.ietf.org/rfc/rfc2104.txt | Field | Type | Description | | ----- | ---- | ----------- | -| `secretRefs` | [[]core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | list of secrets as registered with the issuer. | +| `secretRefs` | [[]core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | list of secrets as registered with the issuer +kubebuilder:validation:Required +kubebuilder:validation:MinItems=1. | @@ -663,7 +663,7 @@ Deprecated: Prefer OAuth2 | `clientSecretRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | your client secret as registered with the issuer. | | `issuerUrl` | `string` | The url of the issuer. We will look for OIDC information in issuerUrl+ ".well-known/openid-configuration". | | `authEndpointQueryParams` | `map` | extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider. | -| `appUrl` | `string` | we to redirect after successful auth, if we can't determine the original url this should be your publicly available app url. | +| `appUrl` | `string` | we to redirect after successful auth, if we can't determine the original url this should be your publicly available app url. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `callbackPath` | `string` | a callback path relative to app url that will be used for OIDC callbacks. needs to not be used by the application. | | `scopes` | `[]string` | Scopes to request in addition to openid scope. | @@ -684,9 +684,9 @@ Deprecated: Prefer OAuth2 | Field | Type | Description | | ----- | ---- | ----------- | -| `oidcAuthorizationCode` | [.enterprise.gloo.solo.io.OidcAuthorizationCode](../extauth.proto.sk/#oidcauthorizationcode) | provide issuer location and let gloo handle OIDC flow for you. requests authorized by validating the contents of ID token. can also authorize the access token if configured. Only one of `oidcAuthorizationCode`, `accessTokenValidation`, or `oauth2` can be set. | +| `oidcAuthorizationCode` | [.enterprise.gloo.solo.io.OidcAuthorizationCode](../extauth.proto.sk/#oidcauthorizationcode) | provide issuer location and let gloo handle OIDC flow for you. requests authorized by validating the contents of ID token. can also authorize the access token if configured. +kubebuilder:validation:XValidation:rule="has(self.clientAuthentication) ? !has(self.clientSecretRef) && !has(self.disableClientSecret) : has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="If clientAuthentication is set, neither clientSecretRef nor disableClientSecret may be set. Otherwise, clientSecretRef must be set or disableClientSecret must be true.". Only one of `oidcAuthorizationCode`, `accessTokenValidation`, or `oauth2` can be set. | | `accessTokenValidation` | [.enterprise.gloo.solo.io.AccessTokenValidation](../extauth.proto.sk/#accesstokenvalidation) | provide the access token on the request and let gloo handle authorization. according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 - URI query parameter e.g. access_token=mytoken123 - and (preferably) secure cookies. Only one of `accessTokenValidation`, `oidcAuthorizationCode`, or `oauth2` can be set. | -| `oauth2` | [.enterprise.gloo.solo.io.PlainOAuth2](../extauth.proto.sk/#plainoauth2) | Enterprise-Only: THIS FEATURE IS IN TECH PREVIEW. APIs are versioned as alpha and subject to change. provide issuer location and let Gloo handle Oauth2 flow for you. requests authorized by validating the contents of access token. Prefer to use OIDC for better security. Only one of `oauth2`, `oidcAuthorizationCode`, or `accessTokenValidation` can be set. | +| `oauth2` | [.enterprise.gloo.solo.io.PlainOAuth2](../extauth.proto.sk/#plainoauth2) | Enterprise-Only: THIS FEATURE IS IN TECH PREVIEW. APIs are versioned as alpha and subject to change. provide issuer location and let Gloo handle Oauth2 flow for you. requests authorized by validating the contents of access token. Prefer to use OIDC for better security. +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true". Only one of `oauth2`, `oidcAuthorizationCode`, or `accessTokenValidation` can be set. | @@ -1063,13 +1063,13 @@ Map a single claim from an OAuth2 or OIDC token to a header in the request to th | Field | Type | Description | | ----- | ---- | ----------- | -| `clientId` | `string` | your client id as registered with the issuer. | +| `clientId` | `string` | your client id as registered with the issuer +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `clientSecretRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | your client secret as registered with the issuer. This is required unless `disable_client_secret` is true This field has been deprecated and can be set in the client_secret option of client_authentication. | -| `issuerUrl` | `string` | The url of the issuer. We will look for OIDC information in issuerUrl+ ".well-known/openid-configuration". | +| `issuerUrl` | `string` | The url of the issuer. We will look for OIDC information in issuerUrl+ ".well-known/openid-configuration" +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `authEndpointQueryParams` | `map` | extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the `code_challenge` and `code_challenge_method`. | | `tokenEndpointQueryParams` | `map` | extra query parameters to apply to the Ext-Auth service's token request to the identity provider. this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the `code_verifier`. | -| `appUrl` | `string` | where to redirect after successful auth, if we can't determine the original url. this should be your publicly available app url. | -| `callbackPath` | `string` | a callback path relative to app url that will be used for OIDC callbacks. should not be used by the application. | +| `appUrl` | `string` | where to redirect after successful auth, if we can't determine the original url. this should be your publicly available app url. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | +| `callbackPath` | `string` | a callback path relative to app url that will be used for OIDC callbacks. should not be used by the application. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `logoutPath` | `string` | a path relative to app url that will be used for logging out from an OIDC session. should not be used by the application. If not provided, logout functionality will be disabled. | | `afterLogoutUrl` | `string` | url to redirect to after logout. This should be a publicly available URL. If not provided, will default to the `app_url`. | | `scopes` | `[]string` | Scopes to request in addition to openid scope. | @@ -1086,7 +1086,7 @@ Map a single claim from an OAuth2 or OIDC token to a header in the request to th | `disableClientSecret` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | If true, do not check for or use the client secret. Generally the client secret is required and AuthConfigs will be rejected if it isn't set. However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oidc without a client secret. This field has been deprecated and can be set in the client_secret option of client_authentication. | | `accessToken` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.AccessToken](../extauth.proto.sk/#accesstoken) | Optional: Configuration specific to the OAuth2 access token received and processed by the ext-auth-service. | | `identityToken` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.IdentityToken](../extauth.proto.sk/#identitytoken) | Optional: Configuration specific to the OIDC identity token received and processed by the ext-auth-service. | -| `clientAuthentication` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.ClientAuthentication](../extauth.proto.sk/#clientauthentication) | | +| `clientAuthentication` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.ClientAuthentication](../extauth.proto.sk/#clientauthentication) | +kubebuilder:validation:XValidation:rule="has(self.clientSecret) || has(self.privateKeyJwt)",message="Must specify clientSecret or privateKeyJwt". | | `default` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.Default](../extauth.proto.sk/#default) | Only one of `default` or `azure` can be set. | | `azure` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.Azure](../extauth.proto.sk/#azure) | Only one of `azure` or `default` can be set. | @@ -1146,7 +1146,7 @@ Configuration specific to the client authentication type used to exchange the ac | Field | Type | Description | | ----- | ---- | ----------- | -| `clientSecret` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.ClientAuthentication.ClientSecret](../extauth.proto.sk/#clientsecret) | Use the client secret method to authenticate the client. Only one of `clientSecret` or `privateKeyJwt` can be set. | +| `clientSecret` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.ClientAuthentication.ClientSecret](../extauth.proto.sk/#clientsecret) | Use the client secret method to authenticate the client +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true". Only one of `clientSecret` or `privateKeyJwt` can be set. | | `privateKeyJwt` | [.enterprise.gloo.solo.io.OidcAuthorizationCode.ClientAuthentication.PrivateKeyJwt](../extauth.proto.sk/#privatekeyjwt) | Use the private ket JWT method to authenticate the client. Only one of `privateKeyJwt` or `clientSecret` can be set. | @@ -1186,7 +1186,7 @@ Private Key JWT Authentication requires a signing key for the JWT and an duratio | Field | Type | Description | | ----- | ---- | ----------- | -| `signingKeyRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | Signing key for the JWT used to authenticate the client. | +| `signingKeyRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | Signing key for the JWT used to authenticate the client +kubebuilder:validation:Required. | | `validFor` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in the future the expiration time is allowed to be. If omitted, default is 5s. | @@ -1258,18 +1258,18 @@ This way, you can enable distibuted claims and caching for when users are member | Field | Type | Description | | ----- | ---- | ----------- | -| `clientId` | `string` | Your client ID as registered with the issuer. | +| `clientId` | `string` | Your client ID as registered with the issuer +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `clientSecretRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | Your client secret as registered with the issuer. This is required unless `disable_client_secret` is set. | | `authEndpointQueryParams` | `map` | Extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider. These parameters can be useful for flows such as [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the `code_challenge` and `code_challenge_method`. | -| `appUrl` | `string` | Where to redirect after successful auth, if Gloo can't determine the original URL. Set this field to your publicly available app URL. | -| `callbackPath` | `string` | A callback path relative to the app URL to be used for OAuth2 callbacks. Do not use this path in the application itself. | +| `appUrl` | `string` | Where to redirect after successful auth, if Gloo can't determine the original URL. Set this field to your publicly available app URL. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | +| `callbackPath` | `string` | A callback path relative to the app URL to be used for OAuth2 callbacks. Do not use this path in the application itself. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `scopes` | `[]string` | Scopes to request for. | | `session` | [.enterprise.gloo.solo.io.UserSession](../extauth.proto.sk/#usersession) | Configuration related to the user session. | | `logoutPath` | `string` | A path relative to the app URL to use for logging out from an OAuth2 session. Do not use this path in the application itself. If not provided, logout functionality is disabled. | | `tokenEndpointQueryParams` | `map` | Extra query parameters to apply to the Ext-Auth service's token request to the identity provider. These parameters can be useful for flows such as [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/) to set the `code_verifier`. | | `afterLogoutUrl` | `string` | URL to redirect to after logout. Set this field to a publicly available URL. If not provided, this value defaults to the `app_url` value. | -| `authEndpoint` | `string` | The URL of the provider authorization endpoint. | -| `tokenEndpoint` | `string` | The URL of the provider token endpoint. | +| `authEndpoint` | `string` | The URL of the provider authorization endpoint. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | +| `tokenEndpoint` | `string` | The URL of the provider token endpoint. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `revocationEndpoint` | `string` | The URL of the provider token revocation endpoint. For more information, refer to https://www.rfc-editor.org/rfc/rfc7009. | | `disableClientSecret` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | If true, do not check for or use the client secret. Generally the client secret is required and AuthConfigs will be rejected if it isn't set. However certain implementations of the PKCE flow do not use a client secret (including Okta) so this setting allows configuring Oauth2 without a client secret. | @@ -1329,7 +1329,7 @@ Specifies how to fetch JWKS from remote and how to cache it. | Field | Type | Description | | ----- | ---- | ----------- | -| `url` | `string` | The HTTP URI to fetch the JWKS. | +| `url` | `string` | The HTTP URI to fetch the JWKS. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `refreshInterval` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | The frequency at which the JWKS should be refreshed. If not specified, the default value is 5 minutes. | @@ -1348,7 +1348,7 @@ Represents a locally available JWKS. | Field | Type | Description | | ----- | ---- | ----------- | -| `inlineString` | `string` | JWKS is embedded as a string. | +| `inlineString` | `string` | JWKS is embedded as a string. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | @@ -1375,7 +1375,7 @@ These values will be encoded in a basic auth header in order to authenticate the | Field | Type | Description | | ----- | ---- | ----------- | -| `introspectionUrl` | `string` | The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. | +| `introspectionUrl` | `string` | The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `clientId` | `string` | Your client id as registered with the issuer. Optional: Use if the token introspection url requires client authentication. | | `clientSecretRef` | [.core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | Your client secret as registered with the issuer. Optional: Use if the token introspection url requires client authentication. | | `userIdAttributeName` | `string` | The name of the [introspection response](https://tools.ietf.org/html/rfc7662#section-2.2) attribute that contains the ID of the resource owner (e.g. `sub`, `username`). If specified, the external auth server will use the value of the attribute as the identifier of the authenticated user and add it to the request headers and/or dynamic metadata (depending on how the server is configured); if the field is set and the attribute cannot be found, the request will be denied. This field is optional and by default the server will not try to derive the user ID. | @@ -1402,9 +1402,9 @@ These values will be encoded in a basic auth header in order to authenticate the | Field | Type | Description | | ----- | ---- | ----------- | -| `introspectionUrl` | `string` | The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. This field is deprecated as it does not support authenticated introspection requests. Only one of `introspectionUrl`, `jwt`, or `introspection` can be set. | +| `introspectionUrl` | `string` | The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. If provided, the (opaque) access token provided or received from the oauth authorization endpoint will be validated against this endpoint, or locally cached responses for this access token. This field is deprecated as it does not support authenticated introspection requests +kubebuilder:validation:MinLength=1. Only one of `introspectionUrl`, `jwt`, or `introspection` can be set. | | `jwt` | [.enterprise.gloo.solo.io.JwtValidation](../extauth.proto.sk/#jwtvalidation) | Validate access tokens that conform to the [JSON Web Token (JWT)](https://datatracker.ietf.org/doc/rfc7662/) specification. Only one of `jwt`, `introspectionUrl`, or `introspection` can be set. | -| `introspection` | [.enterprise.gloo.solo.io.IntrospectionValidation](../extauth.proto.sk/#introspectionvalidation) | Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. Only one of `introspection`, `introspectionUrl`, or `jwt` can be set. | +| `introspection` | [.enterprise.gloo.solo.io.IntrospectionValidation](../extauth.proto.sk/#introspectionvalidation) | Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. +kubebuilder:validation:XValidation:rule="has(self.clientId) && size(self.clientId) > 0 ? has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret) : !has(self.clientSecretRef)",message="If clientId is set, clientSecretRef must be set or disableClientSecret must be true. Otherwise, clientSecretRef must not be set.". Only one of `introspection`, `introspectionUrl`, or `jwt` can be set. | | `userinfoUrl` | `string` | The URL for the OIDC userinfo endpoint. If provided, the (opaque) access token provided or received from the oauth endpoint will be queried and the userinfo response (or cached response) will be added to the `AuthorizationRequest` state under the "introspection" key. This can be useful to leverage the userinfo response in, for example, an external auth server plugin. | | `cacheTimeout` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | How long the token introspection and userinfo endpoint response for a specific access token should be kept in the in-memory cache. The result will be invalidated at this timeout, or at "exp" time from the introspection result, whichever comes sooner. If omitted, defaults to 10 minutes. If zero, then no caching will be done. | | `requiredScopes` | [.enterprise.gloo.solo.io.AccessTokenValidation.ScopeList](../extauth.proto.sk/#scopelist) | Require access token to have all of the scopes in the given list. This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, this will check the scopes returned in the "scope" member of introspection response (as described in [Section 2.2 of RFC7662](https://tools.ietf.org/html/rfc7662#section-2.2). In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the token in the form of a space-separated string. Omitting this field means that scope validation will be skipped. | @@ -1716,7 +1716,7 @@ For Gloo Platform environments, use OpaServerAuth instead. | Field | Type | Description | | ----- | ---- | ----------- | | `modules` | [[]core.solo.io.ResourceRef](../../../../../../../../../../solo-kit/api/v1/ref.proto.sk/#resourceref) | An optional resource reference to config maps containing modules to assist in the resolution of `query`. | -| `query` | `string` | The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean `true` value means that the request will be authorized. Any other value, or error, means that the request will be denied. | +| `query` | `string` | The query that determines the auth decision. The result of this query must be either a boolean or an array with boolean as the first element. A boolean `true` value means that the request will be authorized. Any other value, or error, means that the request will be denied. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `options` | [.enterprise.gloo.solo.io.OpaAuthOptions](../extauth.proto.sk/#opaauthoptions) | Additional Options for Opa Auth configuration. | @@ -1758,7 +1758,7 @@ auth server in Gloo Platform environments. For Gloo Edge environments, use OpaAu | Field | Type | Description | | ----- | ---- | ----------- | -| `package` | `string` | The package from your Rego policy bundle used to query the OPA data API. | +| `package` | `string` | The package from your Rego policy bundle used to query the OPA data API. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `ruleName` | `string` | The rule in your Rego policy bundle used to query the OPA data API. Supports querying subfields with a `/`. For more information, see the [OPA docs for the Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api). | | `serverAddr` | `string` | The address of the OPA server to query, in the format `ADDRESS:PORT`. For OPA servers within the cluster, the address is the pod's service address, such as `default.svc.cluster.local:8181`. For OPA servers outside the cluster, the server must be accessible to the cluster, such as through an ExternalService. If you do not have your own OPA server instance, omit this field. When the external auth service has the OPA server sidecar enabled, the OPA server sidecar will be used instead. | | `options` | [.enterprise.gloo.solo.io.OpaAuthOptions](../extauth.proto.sk/#opaauthoptions) | Additional options for OPA Auth configuration. | @@ -1790,7 +1790,7 @@ Authenticates and authorizes requests by querying an LDAP server. Gloo makes the | Field | Type | Description | | ----- | ---- | ----------- | -| `address` | `string` | Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. `ldap.default.svc.cluster.local:389`. | +| `address` | `string` | Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. `ldap.default.svc.cluster.local:389`. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `userDnTemplate` | `string` | Template to build user entry distinguished names (DN). This must contains a single occurrence of the "%s" placeholder. When processing a request, Gloo will substitute the name of the user (extracted from the auth header) for the placeholder and issue a search request with the resulting DN as baseDN (and 'base' search scope). E.g. "uid=%s,ou=people,dc=solo,dc=io". | | `membershipAttributeName` | `string` | Case-insensitive name of the attribute that contains the names of the groups an entry is member of. Gloo will look for attributes with the given name to determine which groups the user entry belongs to. Defaults to 'memberOf' if not provided. | | `allowedGroups` | `[]string` | In order for the request to be authenticated, the membership attribute (e.g. *memberOf*) on the user entry must contain at least of one of the group DNs specified via this option. E.g. []string{ "cn=managers,ou=groups,dc=solo,dc=io", "cn=developers,ou=groups,dc=solo,dc=io" }. | @@ -1924,7 +1924,7 @@ https://github.com/envoyproxy/envoy/blob/ae1ed1fa74f096dabe8dd5b19fc70333621b030 | Field | Type | Description | | ----- | ---- | ----------- | -| `address` | `string` | Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. `default.svc.cluster.local:389`. | +| `address` | `string` | Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. `default.svc.cluster.local:389`. +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `connectionTimeout` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | Timeout for the auth server to respond. Defaults to 5s. | | `tlsConfig` | [.enterprise.gloo.solo.io.PassThroughGrpcTLSConfig](../extauth.proto.sk/#passthroughgrpctlsconfig) | TLS config for the Grpc passthrough, if not configured the connection will use insecure. | | `retryPolicy` | [.enterprise.gloo.solo.io.RetryPolicy](../extauth.proto.sk/#retrypolicy) | Indicates the retry policy for re-establishing the gRPC stream. This field is optional and failed calls will not retry unless configured. | @@ -1966,7 +1966,7 @@ else the request is unauthorized. | Field | Type | Description | | ----- | ---- | ----------- | -| `url` | `string` | Required: URL of the passthrough http service, is a fully qualified domain name. Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected. To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service pod as a base64-encoded string. | +| `url` | `string` | Required: URL of the passthrough http service, is a fully qualified domain name. Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected. To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service pod as a base64-encoded string +kubebuilder:validation:Required +kubebuilder:validation:MinLength=1. | | `request` | [.enterprise.gloo.solo.io.PassThroughHttp.Request](../extauth.proto.sk/#request) | Pass through the incoming request body, ext auth state, and filter metadata. For more information, see the [PassThrough Http Request description](#request-1). | | `response` | [.enterprise.gloo.solo.io.PassThroughHttp.Response](../extauth.proto.sk/#response) | Pass through response information such as the headers and body to downstream clients. For more information, see the [PassThrough Http Response description](#response-1). | | `connectionTimeout` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | Timeout for the auth server to respond. Defaults to 5s. | diff --git a/generate.go b/generate.go index 9141dc69670..2aa1ab0092f 100644 --- a/generate.go +++ b/generate.go @@ -75,6 +75,7 @@ func main() { "gloo.solo.io.HybridListener", "gloo.solo.io.AggregateListener", }, + DisableKubeMarkers: true, }, } if err := cmd.Generate(generateOptions); err != nil { diff --git a/go.mod b/go.mod index 7712d2d16e7..3e7e2bf56af 100644 --- a/go.mod +++ b/go.mod @@ -51,14 +51,14 @@ require ( github.com/solo-io/go-utils v0.24.8 github.com/solo-io/k8s-utils v0.7.2 github.com/solo-io/protoc-gen-ext v0.0.18 - github.com/solo-io/protoc-gen-openapi v0.2.2 + github.com/solo-io/protoc-gen-openapi v0.2.4 github.com/solo-io/skv2 v0.39.1 // Pinned to the `sa-k8s-1.29-bump` tag of solo-apis on `gloo-main` branch // Ref: https://github.com/solo-io/gloo/pull/9463/files#r1594409655 && https://solo-io-corp.slack.com/archives/C03MFATU265/p1716913420716729?thread_ts=1716476992.938679&cid=C03MFATU265 // as to why it is now based off `gloo-main` and not `gloo-repo-branch` github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9 - github.com/solo-io/solo-kit v0.35.0 + github.com/solo-io/solo-kit v0.35.3 github.com/spf13/afero v1.9.2 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index b789d424ec6..cb8bc0f584f 100644 --- a/go.sum +++ b/go.sum @@ -2028,14 +2028,14 @@ github.com/solo-io/k8s-utils v0.7.2 h1:pIRiTOpwymdCHUOSjzKDi/Ay16FNtF7JV7NIRlC2Z github.com/solo-io/k8s-utils v0.7.2/go.mod h1:RrT6PVTSD1X0vteKCQmGzoAAfjI1U5oV/wA+T3T+NoM= github.com/solo-io/protoc-gen-ext v0.0.18 h1:zSAL8NzWpJUGYoA5IyjHiKASNyHjR0uxBQ7eQS94i3A= github.com/solo-io/protoc-gen-ext v0.0.18/go.mod h1:iGyCvmKmhJNXs5MgBcYFBF0om7LDnCVD2WwhOZGnqeA= -github.com/solo-io/protoc-gen-openapi v0.2.2 h1:OzyOAxiZuMAaLYWMNoTl2v9E7IXcl7UEeiTeCSwvCJ0= -github.com/solo-io/protoc-gen-openapi v0.2.2/go.mod h1:osEjRl1miHqlq4Wl/8SEqHFoyydptPL1EzEdM9c4vfE= +github.com/solo-io/protoc-gen-openapi v0.2.4 h1:9tqGhCAq83IRSzHhKDzpWnPlbPPORTM2izVxjLk0Ftw= +github.com/solo-io/protoc-gen-openapi v0.2.4/go.mod h1:osEjRl1miHqlq4Wl/8SEqHFoyydptPL1EzEdM9c4vfE= github.com/solo-io/skv2 v0.39.1 h1:dWaZTWgntAsvh4lTlojd3xE+g7NF4oYNonfcdpy0nXE= github.com/solo-io/skv2 v0.39.1/go.mod h1:Zsnl+OYmOkj+6KeaMfkzYIxHTVMC0w2gVApzNJRadM8= github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9 h1:4DNulNBJdaVz+fOaMQes1MqVCIO/db2vmwz7bVe3iIU= github.com/solo-io/solo-apis v0.0.0-20240528173540-7879b7d12cb9/go.mod h1:fA+jJC7TXNM+i3uXvq7fpVrJ6JpNu1BgBxc4U9ntUW0= -github.com/solo-io/solo-kit v0.35.0 h1:iX7Wl9h59M7sPAH+fLVdjalY+nAfeG2ry+zrXYuyXTo= -github.com/solo-io/solo-kit v0.35.0/go.mod h1:fxakm2fhYzT3UNsM4baURVz19wCa75sv/KBNi4lwv6Q= +github.com/solo-io/solo-kit v0.35.3 h1:cm+uHB5cFFlAnghwKdboaKI0Ki+t1ECA0Db3TnTL6KU= +github.com/solo-io/solo-kit v0.35.3/go.mod h1:KBCEfl59/wE0K68s90aDcrTc36gKR5L97TbVelwL8n4= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= diff --git a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml index 6fb35b24f94..bfad5d5dd47 100644 --- a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml +++ b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml @@ -222,7 +222,11 @@ spec: type: string type: object type: array + required: + - secretRefs type: object + required: + - secretRefs type: object jwt: maxProperties: 0 @@ -268,6 +272,8 @@ spec: type: string userDnTemplate: type: string + required: + - address type: object name: nullable: true @@ -297,6 +303,8 @@ spec: items: type: string type: array + required: + - appUrl type: object oauth2: properties: @@ -326,6 +334,8 @@ spec: type: string userIdAttributeName: type: string + required: + - introspectionUrl type: object introspectionUrl: type: string @@ -337,6 +347,8 @@ spec: properties: inlineString: type: string + required: + - inlineString type: object remoteJwks: properties: @@ -344,6 +356,8 @@ spec: type: string url: type: string + required: + - url type: object type: object requiredScopes: @@ -474,6 +488,12 @@ spec: additionalProperties: type: string type: object + required: + - clientId + - appUrl + - callbackPath + - authEndpoint + - tokenEndpoint type: object oidcAuthorizationCode: properties: @@ -562,6 +582,8 @@ spec: type: object validFor: type: string + required: + - signingKeyRef type: object type: object clientId: @@ -758,6 +780,11 @@ spec: additionalProperties: type: string type: object + required: + - clientId + - issuerUrl + - appUrl + - callbackPath type: object type: object opaAuth: @@ -780,6 +807,8 @@ spec: type: object query: type: string + required: + - query type: object opaServerAuth: properties: @@ -796,6 +825,8 @@ spec: type: string serverAddr: type: string + required: + - package type: object passThroughAuth: properties: @@ -827,6 +858,8 @@ spec: type: object tlsConfig: type: object + required: + - address type: object http: properties: @@ -868,6 +901,8 @@ spec: type: object url: type: string + required: + - url type: object type: object pluginAuth: @@ -881,6 +916,8 @@ spec: type: string pluginFileName: type: string + required: + - config type: object type: object type: array @@ -894,6 +931,8 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: object + required: + - configs type: object status: default: {} diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto index 7312cd7fe5a..da58efab3d6 100644 --- a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto +++ b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto @@ -45,6 +45,7 @@ message AuthConfig { google.protobuf.StringValue name = 9; oneof auth_config { + // +kubebuilder:validation:XValidation:rule="has(self.apr) ? !has(self.encryption) && !has(self.userList) : has(self.encryption) && has(self.userList)",message="Either apr or both encryption and userSource must be set; apr may not be set alongside either encryption or userSource" BasicAuth basic_auth = 1; OAuth oauth = 2 [deprecated = true]; OAuth2 oauth2 = 8; @@ -56,6 +57,7 @@ message AuthConfig { // If Jwt authentication is to be used in the [boolean expression](https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk/#authconfig) in an AuthConfig, you can use this auth config type to include Jwt as an Auth config. // In addition, `allow_missing_or_failed_jwt` must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour. google.protobuf.Empty jwt = 11; + // +kubebuilder:validation:XValidation:rule="has(self.grpc) || has(self.http)",message="Must specify grpc or http" PassThroughAuth pass_through_auth = 12; HmacAuth hmac_auth = 13; OpaServerAuth opa_server_auth = 14; @@ -68,6 +70,9 @@ message AuthConfig { // // State is shared between successful requests on the chain, i.e., the headers returned from each // successful auth service get appended into the final auth response. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 repeated Config configs = 3; // How to handle processing of named configs within an auth config chain. @@ -251,6 +256,7 @@ message AuthPlugin { // If not specified, defaults to the name of the plugin string exported_symbol_name = 3; + // +kubebuilder:validation:Required google.protobuf.Struct config = 4; } @@ -322,6 +328,7 @@ message BasicAuth { message HmacAuth { // Configuration for how secrets are stored. oneof secret_storage { + // +kubebuilder:validation:Required SecretRefList secret_refs = 1; } // Algorithm to use to turn the request into a hashable string @@ -331,6 +338,9 @@ message HmacAuth { } message SecretRefList { // list of secrets as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 repeated core.solo.io.ResourceRef secret_refs = 1; } // Extract the HMAC parameters from the HTTP headers and use SHA-1 hashing @@ -353,6 +363,9 @@ message OAuth { // we to redirect after successful auth, if we can't determine the original // url this should be your publicly available app url. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string app_url = 4 [deprecated = true]; // a callback path relative to app url that will be used for OIDC callbacks. @@ -368,6 +381,8 @@ message OAuth2 { // provide issuer location and let gloo handle OIDC flow for you. // requests authorized by validating the contents of ID token. // can also authorize the access token if configured. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientAuthentication) ? !has(self.clientSecretRef) && !has(self.disableClientSecret) : has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="If clientAuthentication is set, neither clientSecretRef nor disableClientSecret may be set. Otherwise, clientSecretRef must be set or disableClientSecret must be true." OidcAuthorizationCode oidc_authorization_code = 1; // provide the access token on the request and let gloo handle authorization. @@ -382,6 +397,8 @@ message OAuth2 { // provide issuer location and let Gloo handle Oauth2 flow for you. // requests authorized by validating the contents of access token. // Prefer to use OIDC for better security. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true" PlainOAuth2 oauth2 = 3; } } @@ -615,6 +632,9 @@ message ClaimToHeader { message OidcAuthorizationCode { // your client id as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string client_id = 1; // your client secret as registered with the issuer. @@ -624,6 +644,9 @@ message OidcAuthorizationCode { // The url of the issuer. We will look for OIDC information in issuerUrl+ // ".well-known/openid-configuration" + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string issuer_url = 3; // extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider. @@ -638,10 +661,16 @@ message OidcAuthorizationCode { // where to redirect after successful auth, if we can't determine the original url. // this should be your publicly available app url. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string app_url = 5; // a callback path relative to app url that will be used for OIDC callbacks. // should not be used by the application. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string callback_path = 6; // a path relative to app url that will be used for logging out from an OIDC session. @@ -776,6 +805,8 @@ message OidcAuthorizationCode { // Private Key JWT Authentication requires a signing key for the JWT and an duration for the JWT to be valid. message PrivateKeyJwt{ // Signing key for the JWT used to authenticate the client + // + // +kubebuilder:validation:Required core.solo.io.ResourceRef signing_key_ref = 1; // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in // the future the expiration time is allowed to be. If omitted, default is 5s. @@ -785,12 +816,15 @@ message OidcAuthorizationCode { // Configure how to authenticate the client oneof client_authentication_config { // Use the client secret method to authenticate the client + // + // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true" ClientSecret client_secret = 1; // Use the private ket JWT method to authenticate the client PrivateKeyJwt private_key_jwt = 2; } } + // +kubebuilder:validation:XValidation:rule="has(self.clientSecret) || has(self.privateKeyJwt)",message="Must specify clientSecret or privateKeyJwt" ClientAuthentication client_authentication = 25; oneof Provider { @@ -827,6 +861,9 @@ message OidcAuthorizationCode { message PlainOAuth2 { // Your client ID as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string client_id = 1; // Your client secret as registered with the issuer. @@ -840,10 +877,16 @@ message PlainOAuth2 { // Where to redirect after successful auth, if Gloo can't determine the original URL. // Set this field to your publicly available app URL. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string app_url = 4; // A callback path relative to the app URL to be used for OAuth2 callbacks. // Do not use this path in the application itself. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string callback_path = 5; // Scopes to request for. @@ -867,9 +910,15 @@ message PlainOAuth2 { string after_logout_url = 10; // The URL of the provider authorization endpoint. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string auth_endpoint = 11; // The URL of the provider token endpoint. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string token_endpoint = 12; // The URL of the provider token revocation endpoint. @@ -904,6 +953,9 @@ message JwtValidation { // Specifies how to fetch JWKS from remote and how to cache it. message RemoteJwks { // The HTTP URI to fetch the JWKS. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string url = 1; // The frequency at which the JWKS should be refreshed. @@ -914,6 +966,9 @@ message JwtValidation { // Represents a locally available JWKS. message LocalJwks { // JWKS is embedded as a string. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string inline_string = 1; } @@ -939,6 +994,9 @@ message IntrospectionValidation { // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string introspection_url = 1; // Your client id as registered with the issuer. @@ -969,6 +1027,8 @@ message AccessTokenValidation { // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests + // + // +kubebuilder:validation:MinLength=1 string introspection_url = 1 [deprecated = true]; // Validate access tokens that conform to the @@ -977,6 +1037,8 @@ message AccessTokenValidation { // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientId) && size(self.clientId) > 0 ? has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret) : !has(self.clientSecretRef)",message="If clientId is set, clientSecretRef must be set or disableClientSecret must be true. Otherwise, clientSecretRef must not be set." IntrospectionValidation introspection = 3; // In the future we may implement HMAC validation @@ -1224,6 +1286,9 @@ message OpaAuth { // The query that determines the auth decision. The result of this query // must be either a boolean or an array with boolean as the first element. A boolean `true` value means that // the request will be authorized. Any other value, or error, means that the request will be denied. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string query = 2; // Additional Options for Opa Auth configuration. @@ -1257,6 +1322,9 @@ message OpaAuthOptions { // auth server in Gloo Platform environments. For Gloo Edge environments, use OpaAuth instead. message OpaServerAuth { // The package from your Rego policy bundle used to query the OPA data API. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string package = 1; // The rule in your Rego policy bundle used to query the OPA data API. Supports querying subfields with a `/`. For more information, see the [OPA docs for the Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api). @@ -1292,6 +1360,9 @@ message Ldap { } // Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. `ldap.default.svc.cluster.local:389`. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string address = 1; // Template to build user entry distinguished names (DN). This must contains a single occurrence of the "%s" placeholder. @@ -1381,6 +1452,9 @@ message RetryPolicy { message PassThroughGrpc { // Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. `default.svc.cluster.local:389`. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string address = 1; // Timeout for the auth server to respond. Defaults to 5s @@ -1405,6 +1479,9 @@ message PassThroughHttp { // Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected. // To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service // pod as a base64-encoded string + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 string url = 1; /* The passthrough http request can be configured to pass through the incoming request body, diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go index a93cbe9ff6f..df5614b0b65 100644 --- a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go +++ b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go @@ -254,6 +254,9 @@ type AuthConfig struct { // // State is shared between successful requests on the chain, i.e., the headers returned from each // successful auth service get appended into the final auth response. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 Configs []*AuthConfig_Config `protobuf:"bytes,3,rep,name=configs,proto3" json:"configs,omitempty"` // How to handle processing of named configs within an auth config chain. // An example config might be: `( basic1 || basic2 || (oidc1 && !oidc2) )` @@ -879,8 +882,9 @@ type AuthPlugin struct { PluginFileName string `protobuf:"bytes,2,opt,name=plugin_file_name,json=pluginFileName,proto3" json:"plugin_file_name,omitempty"` // Name of the exported symbol that implements the plugin interface in the plugin. // If not specified, defaults to the name of the plugin - ExportedSymbolName string `protobuf:"bytes,3,opt,name=exported_symbol_name,json=exportedSymbolName,proto3" json:"exported_symbol_name,omitempty"` - Config *_struct.Struct `protobuf:"bytes,4,opt,name=config,proto3" json:"config,omitempty"` + ExportedSymbolName string `protobuf:"bytes,3,opt,name=exported_symbol_name,json=exportedSymbolName,proto3" json:"exported_symbol_name,omitempty"` + // +kubebuilder:validation:Required + Config *_struct.Struct `protobuf:"bytes,4,opt,name=config,proto3" json:"config,omitempty"` } func (x *AuthPlugin) Reset() { @@ -1130,6 +1134,7 @@ type isHmacAuth_SecretStorage interface { } type HmacAuth_SecretRefs struct { + // +kubebuilder:validation:Required SecretRefs *SecretRefList `protobuf:"bytes,1,opt,name=secret_refs,json=secretRefs,proto3,oneof"` } @@ -1151,6 +1156,9 @@ type SecretRefList struct { unknownFields protoimpl.UnknownFields // list of secrets as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinItems=1 SecretRefs []*core.ResourceRef `protobuf:"bytes,1,rep,name=secret_refs,json=secretRefs,proto3" json:"secret_refs,omitempty"` } @@ -1258,6 +1266,9 @@ type OAuth struct { // we to redirect after successful auth, if we can't determine the original // url this should be your publicly available app url. // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + // // Deprecated: Marked as deprecated in github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto. AppUrl string `protobuf:"bytes,4,opt,name=app_url,json=appUrl,proto3" json:"app_url,omitempty"` // a callback path relative to app url that will be used for OIDC callbacks. @@ -1440,6 +1451,8 @@ type OAuth2_OidcAuthorizationCode struct { // provide issuer location and let gloo handle OIDC flow for you. // requests authorized by validating the contents of ID token. // can also authorize the access token if configured. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientAuthentication) ? !has(self.clientSecretRef) && !has(self.disableClientSecret) : has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="If clientAuthentication is set, neither clientSecretRef nor disableClientSecret may be set. Otherwise, clientSecretRef must be set or disableClientSecret must be true." OidcAuthorizationCode *OidcAuthorizationCode `protobuf:"bytes,1,opt,name=oidc_authorization_code,json=oidcAuthorizationCode,proto3,oneof"` } @@ -1458,6 +1471,8 @@ type OAuth2_Oauth2 struct { // provide issuer location and let Gloo handle Oauth2 flow for you. // requests authorized by validating the contents of access token. // Prefer to use OIDC for better security. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true" Oauth2 *PlainOAuth2 `protobuf:"bytes,3,opt,name=oauth2,proto3,oneof"` } @@ -2158,6 +2173,9 @@ type OidcAuthorizationCode struct { unknownFields protoimpl.UnknownFields // your client id as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 ClientId string `protobuf:"bytes,1,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"` // your client secret as registered with the issuer. // This is required unless `disable_client_secret` is true @@ -2167,6 +2185,9 @@ type OidcAuthorizationCode struct { ClientSecretRef *core.ResourceRef `protobuf:"bytes,2,opt,name=client_secret_ref,json=clientSecretRef,proto3" json:"client_secret_ref,omitempty"` // The url of the issuer. We will look for OIDC information in issuerUrl+ // ".well-known/openid-configuration" + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 IssuerUrl string `protobuf:"bytes,3,opt,name=issuer_url,json=issuerUrl,proto3" json:"issuer_url,omitempty"` // extra query parameters to apply to the Ext-Auth service's authorization request to the identity provider. // this can be useful for flows such as PKCE (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) @@ -2178,9 +2199,15 @@ type OidcAuthorizationCode struct { TokenEndpointQueryParams map[string]string `protobuf:"bytes,14,rep,name=token_endpoint_query_params,json=tokenEndpointQueryParams,proto3" json:"token_endpoint_query_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // where to redirect after successful auth, if we can't determine the original url. // this should be your publicly available app url. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 AppUrl string `protobuf:"bytes,5,opt,name=app_url,json=appUrl,proto3" json:"app_url,omitempty"` // a callback path relative to app url that will be used for OIDC callbacks. // should not be used by the application. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 CallbackPath string `protobuf:"bytes,6,opt,name=callback_path,json=callbackPath,proto3" json:"callback_path,omitempty"` // a path relative to app url that will be used for logging out from an OIDC session. // should not be used by the application. @@ -2267,7 +2294,8 @@ type OidcAuthorizationCode struct { // Optional: Configuration specific to the OAuth2 access token received and processed by the ext-auth-service. AccessToken *OidcAuthorizationCode_AccessToken `protobuf:"bytes,23,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"` // Optional: Configuration specific to the OIDC identity token received and processed by the ext-auth-service. - IdentityToken *OidcAuthorizationCode_IdentityToken `protobuf:"bytes,24,opt,name=identity_token,json=identityToken,proto3" json:"identity_token,omitempty"` + IdentityToken *OidcAuthorizationCode_IdentityToken `protobuf:"bytes,24,opt,name=identity_token,json=identityToken,proto3" json:"identity_token,omitempty"` + // +kubebuilder:validation:XValidation:rule="has(self.clientSecret) || has(self.privateKeyJwt)",message="Must specify clientSecret or privateKeyJwt" ClientAuthentication *OidcAuthorizationCode_ClientAuthentication `protobuf:"bytes,25,opt,name=client_authentication,json=clientAuthentication,proto3" json:"client_authentication,omitempty"` // Types that are assignable to Provider: // @@ -2522,6 +2550,9 @@ type PlainOAuth2 struct { unknownFields protoimpl.UnknownFields // Your client ID as registered with the issuer + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 ClientId string `protobuf:"bytes,1,opt,name=client_id,json=clientId,proto3" json:"client_id,omitempty"` // Your client secret as registered with the issuer. // This is required unless `disable_client_secret` is set. @@ -2532,9 +2563,15 @@ type PlainOAuth2 struct { AuthEndpointQueryParams map[string]string `protobuf:"bytes,3,rep,name=auth_endpoint_query_params,json=authEndpointQueryParams,proto3" json:"auth_endpoint_query_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // Where to redirect after successful auth, if Gloo can't determine the original URL. // Set this field to your publicly available app URL. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 AppUrl string `protobuf:"bytes,4,opt,name=app_url,json=appUrl,proto3" json:"app_url,omitempty"` // A callback path relative to the app URL to be used for OAuth2 callbacks. // Do not use this path in the application itself. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 CallbackPath string `protobuf:"bytes,5,opt,name=callback_path,json=callbackPath,proto3" json:"callback_path,omitempty"` // Scopes to request for. Scopes []string `protobuf:"bytes,6,rep,name=scopes,proto3" json:"scopes,omitempty"` @@ -2552,8 +2589,14 @@ type PlainOAuth2 struct { // Set this field to a publicly available URL. If not provided, this value defaults to the `app_url` value. AfterLogoutUrl string `protobuf:"bytes,10,opt,name=after_logout_url,json=afterLogoutUrl,proto3" json:"after_logout_url,omitempty"` // The URL of the provider authorization endpoint. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 AuthEndpoint string `protobuf:"bytes,11,opt,name=auth_endpoint,json=authEndpoint,proto3" json:"auth_endpoint,omitempty"` // The URL of the provider token endpoint. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 TokenEndpoint string `protobuf:"bytes,12,opt,name=token_endpoint,json=tokenEndpoint,proto3" json:"token_endpoint,omitempty"` // The URL of the provider token revocation endpoint. // For more information, refer to https://www.rfc-editor.org/rfc/rfc7009. @@ -2819,6 +2862,9 @@ type IntrospectionValidation struct { // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 IntrospectionUrl string `protobuf:"bytes,1,opt,name=introspection_url,json=introspectionUrl,proto3" json:"introspection_url,omitempty"` // Your client id as registered with the issuer. // Optional: Use if the token introspection url requires client authentication. @@ -3051,6 +3097,8 @@ type AccessTokenValidation_IntrospectionUrl struct { // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests // + // +kubebuilder:validation:MinLength=1 + // // Deprecated: Marked as deprecated in github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto. IntrospectionUrl string `protobuf:"bytes,1,opt,name=introspection_url,json=introspectionUrl,proto3,oneof"` } @@ -3064,6 +3112,8 @@ type AccessTokenValidation_Jwt struct { type AccessTokenValidation_Introspection struct { // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // + // +kubebuilder:validation:XValidation:rule="has(self.clientId) && size(self.clientId) > 0 ? has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret) : !has(self.clientSecretRef)",message="If clientId is set, clientSecretRef must be set or disableClientSecret must be true. Otherwise, clientSecretRef must not be set." Introspection *IntrospectionValidation `protobuf:"bytes,3,opt,name=introspection,proto3,oneof"` } @@ -3736,6 +3786,9 @@ type OpaAuth struct { // The query that determines the auth decision. The result of this query // must be either a boolean or an array with boolean as the first element. A boolean `true` value means that // the request will be authorized. Any other value, or error, means that the request will be denied. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Query string `protobuf:"bytes,2,opt,name=query,proto3" json:"query,omitempty"` // Additional Options for Opa Auth configuration. Options *OpaAuthOptions `protobuf:"bytes,3,opt,name=options,proto3" json:"options,omitempty"` @@ -3874,6 +3927,9 @@ type OpaServerAuth struct { unknownFields protoimpl.UnknownFields // The package from your Rego policy bundle used to query the OPA data API. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Package string `protobuf:"bytes,1,opt,name=package,proto3" json:"package,omitempty"` // The rule in your Rego policy bundle used to query the OPA data API. Supports querying subfields with a `/`. For more information, see the [OPA docs for the Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api). RuleName string `protobuf:"bytes,2,opt,name=rule_name,json=ruleName,proto3" json:"rule_name,omitempty"` @@ -3960,6 +4016,9 @@ type Ldap struct { unknownFields protoimpl.UnknownFields // Address of the LDAP server to query. Should be in the form ADDRESS:PORT, e.g. `ldap.default.svc.cluster.local:389`. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Address string `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"` // Template to build user entry distinguished names (DN). This must contains a single occurrence of the "%s" placeholder. // When processing a request, Gloo will substitute the name of the user (extracted from the auth header) for the @@ -4385,6 +4444,9 @@ type PassThroughGrpc struct { unknownFields protoimpl.UnknownFields // Address of the auth server to query. Should be in the form ADDRESS:PORT, e.g. `default.svc.cluster.local:389`. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Address string `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"` // Timeout for the auth server to respond. Defaults to 5s ConnectionTimeout *duration.Duration `protobuf:"bytes,2,opt,name=connection_timeout,json=connectionTimeout,proto3" json:"connection_timeout,omitempty"` @@ -4506,6 +4568,9 @@ type PassThroughHttp struct { // Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected. // To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service // pod as a base64-encoded string + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` // Pass through the incoming request body, ext auth state, and filter metadata. // For more information, see the [PassThrough Http Request description](#request-1). @@ -5233,6 +5298,7 @@ type isAuthConfig_Config_AuthConfig interface { } type AuthConfig_Config_BasicAuth struct { + // +kubebuilder:validation:XValidation:rule="has(self.apr) ? !has(self.encryption) && !has(self.userList) : has(self.encryption) && has(self.userList)",message="Either apr or both encryption and userSource must be set; apr may not be set alongside either encryption or userSource" BasicAuth *BasicAuth `protobuf:"bytes,1,opt,name=basic_auth,json=basicAuth,proto3,oneof"` } @@ -5269,6 +5335,7 @@ type AuthConfig_Config_Jwt struct { } type AuthConfig_Config_PassThroughAuth struct { + // +kubebuilder:validation:XValidation:rule="has(self.grpc) || has(self.http)",message="Must specify grpc or http" PassThroughAuth *PassThroughAuth `protobuf:"bytes,12,opt,name=pass_through_auth,json=passThroughAuth,proto3,oneof"` } @@ -6345,6 +6412,8 @@ type isOidcAuthorizationCode_ClientAuthentication_ClientAuthenticationConfig int type OidcAuthorizationCode_ClientAuthentication_ClientSecret_ struct { // Use the client secret method to authenticate the client + // + // +kubebuilder:validation:XValidation:rule="has(self.clientSecretRef) || (has(self.disableClientSecret) && self.disableClientSecret)",message="Either clientSecretRef must be set or disableClientSecret must be true" ClientSecret *OidcAuthorizationCode_ClientAuthentication_ClientSecret `protobuf:"bytes,1,opt,name=client_secret,json=clientSecret,proto3,oneof"` } @@ -6550,6 +6619,8 @@ type OidcAuthorizationCode_ClientAuthentication_PrivateKeyJwt struct { unknownFields protoimpl.UnknownFields // Signing key for the JWT used to authenticate the client + // + // +kubebuilder:validation:Required SigningKeyRef *core.ResourceRef `protobuf:"bytes,1,opt,name=signing_key_ref,json=signingKeyRef,proto3" json:"signing_key_ref,omitempty"` // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in // the future the expiration time is allowed to be. If omitted, default is 5s. @@ -6609,6 +6680,9 @@ type JwtValidation_RemoteJwks struct { unknownFields protoimpl.UnknownFields // The HTTP URI to fetch the JWKS. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"` // The frequency at which the JWKS should be refreshed. // If not specified, the default value is 5 minutes. @@ -6668,6 +6742,9 @@ type JwtValidation_LocalJwks struct { unknownFields protoimpl.UnknownFields // JWKS is embedded as a string. + // + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 InlineString string `protobuf:"bytes,1,opt,name=inline_string,json=inlineString,proto3" json:"inline_string,omitempty"` }