|
| 1 | +package v1alpha1 |
| 2 | + |
| 3 | +import ( |
| 4 | + v1 "k8s.io/api/core/v1" |
| 5 | + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 6 | +) |
| 7 | + |
| 8 | +// +genclient |
| 9 | +// +kubebuilder:object:root=true |
| 10 | +// +kubebuilder:storageversion |
| 11 | +// +kubebuilder:subresource:status |
| 12 | +// +kubebuilder:resource:categories=nginx-gateway-fabric,shortName=authfilter;authenticationfilter |
| 13 | +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` |
| 14 | + |
| 15 | +// AuthenticationFilter configures request authentication and is |
| 16 | +// referenced by HTTPRoute or a GRPCRoute. Filters via ExtensionRef. |
| 17 | +type AuthenticationFilter struct { |
| 18 | + metav1.TypeMeta `json:",inline"` |
| 19 | + metav1.ObjectMeta `json:"metadata"` |
| 20 | + |
| 21 | + // Spec defines the desired state of the AuthenticationFilter. |
| 22 | + Spec AuthenticationFilterSpec `json:"spec"` |
| 23 | + |
| 24 | + // Status defines the state of the AuthenticationFilter, following the same |
| 25 | + // pattern as SnippetsFilter: per-controller conditions with an Accepted condition. |
| 26 | + // |
| 27 | + // +optional |
| 28 | + Status AuthenticationFilterStatus `json:"status"` |
| 29 | +} |
| 30 | + |
| 31 | +// +kubebuilder:object:root=true |
| 32 | + |
| 33 | +// AuthenticationFilterList contains a list of AuthenticationFilter. |
| 34 | +type AuthenticationFilterList struct { |
| 35 | + metav1.TypeMeta `json:",inline"` |
| 36 | + metav1.ListMeta `json:"metadata"` |
| 37 | + Items []AuthenticationFilter `json:"items"` |
| 38 | +} |
| 39 | + |
| 40 | +// AuthenticationFilterSpec defines the desired configuration. |
| 41 | +// For now only Basic is supported. |
| 42 | +// +kubebuilder:validation:XValidation:message="for type=Basic, spec.basic must be set",rule="self.type == 'Basic' ? self.basic != null : true" |
| 43 | +// +kubebuilder:validation:XValidation:message="when spec.basic is set, type must be 'Basic'",rule="self.basic != null ? self.type == 'Basic' : true" |
| 44 | +type AuthenticationFilterSpec struct { |
| 45 | + // Type selects the authentication mechanism. |
| 46 | + // +kubebuilder:default=Basic |
| 47 | + Type AuthType `json:"type"` |
| 48 | + |
| 49 | + // Basic configures HTTP Basic Authentication. |
| 50 | + // Required when Type == Basic. |
| 51 | + // |
| 52 | + // +optional |
| 53 | + Basic *BasicAuth `json:"basic,omitempty"` |
| 54 | +} |
| 55 | + |
| 56 | +// AuthType defines the authentication mechanism. |
| 57 | +// +kubebuilder:validation:Enum=Basic |
| 58 | +type AuthType string |
| 59 | + |
| 60 | +const ( |
| 61 | + AuthTypeBasic AuthType = "Basic" |
| 62 | +) |
| 63 | + |
| 64 | +// BasicAuth configures HTTP Basic Authentication. |
| 65 | +type BasicAuth struct { |
| 66 | + // SecretRef allows referencing a Secret in the same namespace |
| 67 | + SecretRef LocalObjectReferenceWithKey `json:"secretRef"` |
| 68 | + |
| 69 | + // Realm used by NGINX `auth_basic` directive. |
| 70 | + // https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html#auth_basic |
| 71 | + // Also configures "realm="<realm_value>" in WWW-Authenticate header in error page location. |
| 72 | + // |
| 73 | + // +optional |
| 74 | + // +kubebuilder:default="Restricted" |
| 75 | + Realm *string `json:"realm,omitempty"` |
| 76 | + |
| 77 | + // OnFailure customizes the 401 response for failed authentication. |
| 78 | + // |
| 79 | + // +optional |
| 80 | + OnFailure *AuthFailureResponse `json:"onFailure,omitempty"` |
| 81 | +} |
| 82 | + |
| 83 | +type LocalObjectReferenceWithKey struct { |
| 84 | + v1.LocalObjectReference `json:",inline"` |
| 85 | + // +kubebuilder:validation:MinLength=1 |
| 86 | + // +kubebuilder:validation:XValidation:rule="self != ''",message="key must be non-empty" |
| 87 | + Key string `json:"key"` |
| 88 | +} |
| 89 | + |
| 90 | +// AuthFailureBodyPolicy controls the failure response body behavior. |
| 91 | +// +kubebuilder:validation:Enum=Unauthorized;Forbidden;Empty |
| 92 | +type AuthFailureBodyPolicy string |
| 93 | + |
| 94 | +const ( |
| 95 | + AuthFailureBodyPolicyUnauthorized AuthFailureBodyPolicy = "Unauthorized" |
| 96 | + AuthFailureBodyPolicyForbidden AuthFailureBodyPolicy = "Forbidden" |
| 97 | + AuthFailureBodyPolicyEmpty AuthFailureBodyPolicy = "Empty" |
| 98 | +) |
| 99 | + |
| 100 | +// AuthScheme enumerates supported WWW-Authenticate schemes.Add a comment on lines R320 to R321Add diff commentMarkdown input: edit mode selected.WritePreviewAdd a suggestionHeadingBoldItalicQuoteCodeLinkUnordered listNumbered listTask listMentionReferenceSaved repliesAdd FilesPaste, drop, or click to add filesCancelCommentStart a reviewReturn to code |
| 101 | +// +kubebuilder:validation:Enum=Basic;Bearer |
| 102 | +type AuthScheme string |
| 103 | + |
| 104 | +const ( |
| 105 | + AuthSchemeBasic AuthScheme = "Basic" |
| 106 | + AuthSchemeBearer AuthScheme = "Bearer" |
| 107 | +) |
| 108 | + |
| 109 | +// AuthFailureResponse customizes 401/403 failures. |
| 110 | +type AuthFailureResponse struct { |
| 111 | + // Allowed: 401, 403. |
| 112 | + // Default: 401. |
| 113 | + // |
| 114 | + // +optional |
| 115 | + // +kubebuilder:default=401 |
| 116 | + // +kubebuilder:validation:XValidation:message="statusCode must be 401 or 403",rule="self in [401, 403]" |
| 117 | + StatusCode *int32 `json:"statusCode,omitempty"` |
| 118 | + |
| 119 | + // Challenge scheme. If omitted, inferred from filter Type (Basic|Bearer). |
| 120 | + // Configures WWW-Authenticate header in error page location. |
| 121 | + // |
| 122 | + // +optional |
| 123 | + // +kubebuilder:default=Basic |
| 124 | + Scheme *AuthScheme `json:"scheme,omitempty"` |
| 125 | + |
| 126 | + // Controls whether a default canned body is sent or an empty body. |
| 127 | + // Default: Unauthorized. |
| 128 | + // |
| 129 | + // +optional |
| 130 | + // +kubebuilder:default=Unauthorized |
| 131 | + BodyPolicy *AuthFailureBodyPolicy `json:"bodyPolicy,omitempty"` |
| 132 | +} |
| 133 | + |
| 134 | +// AuthenticationFilterStatus defines the state of AuthenticationFilter. |
| 135 | +type AuthenticationFilterStatus struct { |
| 136 | + // Controllers is a list of Gateway API controllers that processed the AuthenticationFilter |
| 137 | + // and the status of the AuthenticationFilter with respect to each controller. |
| 138 | + // |
| 139 | + // +kubebuilder:validation:MaxItems=16 |
| 140 | + Controllers []ControllerStatus `json:"controllers,omitempty"` |
| 141 | +} |
| 142 | + |
| 143 | +// AuthenticationFilterConditionType is a type of condition associated with AuthenticationFilter. |
| 144 | +type AuthenticationFilterConditionType string |
| 145 | + |
| 146 | +// AuthenticationFilterConditionReason is a reason for an AuthenticationFilter condition type. |
| 147 | +type AuthenticationFilterConditionReason string |
| 148 | + |
| 149 | +const ( |
| 150 | + // AuthenticationFilterConditionTypeAccepted indicates that the AuthenticationFilter is accepted. |
| 151 | + // |
| 152 | + // Possible reasons for this condition to be True: |
| 153 | + // * Accepted |
| 154 | + // |
| 155 | + // Possible reasons for this condition to be False: |
| 156 | + // * Invalid |
| 157 | + AuthenticationFilterConditionTypeAccepted AuthenticationFilterConditionType = "Accepted" |
| 158 | + |
| 159 | + // AuthenticationFilterConditionReasonAccepted is used with the Accepted condition type when |
| 160 | + // the condition is true. |
| 161 | + AuthenticationFilterConditionReasonAccepted AuthenticationFilterConditionReason = "Accepted" |
| 162 | + |
| 163 | + // AuthenticationFilterConditionReasonInvalid is used with the Accepted condition type when |
| 164 | + // the filter is invalid. |
| 165 | + AuthenticationFilterConditionReasonInvalid AuthenticationFilterConditionReason = "Invalid" |
| 166 | +) |
0 commit comments