IdentityPropagation
microgateway.airlock.com/v1alpha1
IdentityPropagation specifies the desired identity propagation.
apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
name: identity-propagation-example
spec:
header:
name: X-USER-NAME
value:
source:
oidc:
idToken:
claim: "name"apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
name: defaultIdentityPropagation
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Specification of the desired identity propagation. | yes | bearerToken{}, header{} |
IdentityPropagation.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bearerToken | object | BearerToken configures identity propagation via an authorization header containing a bearer token. | no | ||
| header | object | Header configures identity propagation via a request header. | no |
IdentityPropagation.spec.bearerToken
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| source | object | Source from which to extract the token. | yes | jwt{}, metadata{}, oidc{}, tokenExchange{} |
IdentityPropagation.spec.bearerToken.source
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| jwt | object | JWT specifies to extract a value from a JWT. | no | ||
| metadata | object | Metadata specifies to extract a value from an Envoy dynamic filter metadata key. | no | ||
| oidc | object | OIDC specifies to extract a value from the result of an OpenID Connect flow. | no | accessToken{}, idToken{} |
|
| tokenExchange | object | TokenExchange specifies to use the token obtained via token exchange as value. | no |
IdentityPropagation.spec.bearerToken.source.jwt
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
claim |
string | The JWT claim to extract as value. If omitted, the entire JWT will be used as value. | no |
IdentityPropagation.spec.bearerToken.source.metadata
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
key |
string | Key specifies the metadata key from which to load the value, e.g. some_payload.aud. |
yes | ||
namespace |
string | Namespace specifies the metadata namespace within which the lookup should be performed, e.g. envoy.filters.http.jwt_authn. |
yes |
IdentityPropagation.spec.bearerToken.source.oidc
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| accessToken | object | AccessToken specifies to extract the value from the OpenID Connect Access Token. | no | ||
| idToken | object | IDToken specifies to extract the value from the OpenID Connect ID Token. | no |
IdentityPropagation.spec.bearerToken.source.oidc.idToken
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
claim |
string | Claim selects the JWT claim from which to extract the value. | yes |
IdentityPropagation.spec.header
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the header to set. | yes | ||
| value | object | Value to propagate to the application. | yes |
IdentityPropagation.spec.header.value
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| source | object | Source from which to extract the value. | yes | jwt{}, metadata{}, oidc{}, tokenExchange{} |
IdentityPropagation.spec.header.value.source
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| jwt | object | JWT specifies to extract a value from a JWT. | no | ||
| metadata | object | Metadata specifies to extract a value from an Envoy dynamic filter metadata key. | no | ||
| oidc | object | OIDC specifies to extract a value from the result of an OpenID Connect flow. | no | accessToken{}, idToken{} |
|
| tokenExchange | object | TokenExchange specifies to use the token obtained via token exchange as value. | no |
IdentityPropagation.spec.header.value.source.jwt
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
claim |
string | The JWT claim to extract as value. If omitted, the entire JWT will be used as value. | no |
IdentityPropagation.spec.header.value.source.metadata
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
key |
string | Key specifies the metadata key from which to load the value, e.g. some_payload.aud. |
yes | ||
namespace |
string | Namespace specifies the metadata namespace within which the lookup should be performed, e.g. envoy.filters.http.jwt_authn. |
yes |
IdentityPropagation.spec.header.value.source.oidc
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| accessToken | object | AccessToken specifies to extract the value from the OpenID Connect Access Token. | no | ||
| idToken | object | IDToken specifies to extract the value from the OpenID Connect ID Token. | no |
IdentityPropagation.spec.header.value.source.oidc.idToken
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
claim |
string | Claim selects the JWT claim from which to extract the value. | yes |