diff --git a/bundle/manifests/authorino-operator.clusterserviceversion.yaml b/bundle/manifests/authorino-operator.clusterserviceversion.yaml index 8f70337..c35b6fb 100644 --- a/bundle/manifests/authorino-operator.clusterserviceversion.yaml +++ b/bundle/manifests/authorino-operator.clusterserviceversion.yaml @@ -83,7 +83,7 @@ metadata: capabilities: Basic Install categories: Integration & Delivery containerImage: quay.io/kuadrant/authorino-operator:latest - createdAt: "2024-11-19T15:52:57Z" + createdAt: "2024-11-21T13:37:42Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/Kuadrant/authorino-operator diff --git a/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml b/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml index ea01a64..9f58e3d 100644 --- a/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml +++ b/bundle/manifests/authorino.kuadrant.io_authconfigs.yaml @@ -3105,10 +3105,32 @@ spec: kubernetesSubjectAccessReview: description: Authorization by Kubernetes SubjectAccessReview properties: + authorizationGroups: + description: Groups to check for existing permission in + the Kubernetes RBAC alternatively to a specific user. + This is typically obtained from a list of groups the user + is a member of. Must be a static list of group names or + dynamically resolve to one from the Authorization JSON. + properties: + expression: + description: |- + A Common Expression Language (CEL) expression that evaluates to a value. + String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings). + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object groups: - description: Groups the user must be a member of or, if - `user` is omitted, the groups to check for authorization - in the Kubernetes RBAC. + description: |- + Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + Deprecated: Use authorizationGroups instead. items: type: string type: array diff --git a/charts/authorino-operator/templates/manifests.yaml b/charts/authorino-operator/templates/manifests.yaml index bd244cf..a786330 100644 --- a/charts/authorino-operator/templates/manifests.yaml +++ b/charts/authorino-operator/templates/manifests.yaml @@ -3104,10 +3104,32 @@ spec: kubernetesSubjectAccessReview: description: Authorization by Kubernetes SubjectAccessReview properties: + authorizationGroups: + description: Groups to check for existing permission in + the Kubernetes RBAC alternatively to a specific user. + This is typically obtained from a list of groups the user + is a member of. Must be a static list of group names or + dynamically resolve to one from the Authorization JSON. + properties: + expression: + description: |- + A Common Expression Language (CEL) expression that evaluates to a value. + String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings). + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object groups: - description: Groups the user must be a member of or, if - `user` is omitted, the groups to check for authorization - in the Kubernetes RBAC. + description: |- + Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + Deprecated: Use authorizationGroups instead. items: type: string type: array diff --git a/config/deploy/manifests.yaml b/config/deploy/manifests.yaml index 028c6af..5c672ed 100644 --- a/config/deploy/manifests.yaml +++ b/config/deploy/manifests.yaml @@ -3111,10 +3111,32 @@ spec: kubernetesSubjectAccessReview: description: Authorization by Kubernetes SubjectAccessReview properties: + authorizationGroups: + description: Groups to check for existing permission in + the Kubernetes RBAC alternatively to a specific user. + This is typically obtained from a list of groups the user + is a member of. Must be a static list of group names or + dynamically resolve to one from the Authorization JSON. + properties: + expression: + description: |- + A Common Expression Language (CEL) expression that evaluates to a value. + String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings). + type: string + selector: + description: |- + Simple path selector to fetch content from the authorization JSON (e.g. 'request.method') or a string template with variables that resolve to patterns (e.g. "Hello, {auth.identity.name}!"). + Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson can be used. + The following Authorino custom modifiers are supported: @extract:{sep:" ",pos:0}, @replace{old:"",new:""}, @case:upper|lower, @base64:encode|decode and @strip. + type: string + value: + description: Static value + x-kubernetes-preserve-unknown-fields: true + type: object groups: - description: Groups the user must be a member of or, if - `user` is omitted, the groups to check for authorization - in the Kubernetes RBAC. + description: |- + Groups the user must be a member of or, if `user` is omitted, the groups to check for authorization in the Kubernetes RBAC. + Deprecated: Use authorizationGroups instead. items: type: string type: array