IdentityPropagation
microgateway.airlock.com/v1alpha1
IdentityPropagation defines an identity propagation operation.
apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
name: identity-propagation-example
spec:
bearerToken:
source:
jwt: {}apiVersion: microgateway.airlock.com/v1alpha1
kind: IdentityPropagation
metadata:
name: identity-propagation-example
spec:
header:
name: X-USER-NAME
value:
source:
oidc:
idToken:
claim: "name"IdentityPropagation
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired identity propagation. | object | yes | bearerToken{}, header{} |
IdentityPropagation.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bearerToken | configures identity propagation via an authorization header containing a bearer token. | object | no | ||
| header | configures identity propagation via a request header. | object | no |
IdentityPropagation.spec.bearerToken
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| source | from which to extract the token. | object | yes | clientCertificate{}, jwt{}, metadata{}, oidc{}, tokenExchange{} |
IdentityPropagation.spec.bearerToken.source
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientCertificate | specifies to extract a value from the presented client certificate. | object | no | ||
| jwt | specifies to extract a value from a JWT. | object | no | ||
| metadata | specifies to extract a value from an Envoy dynamic filter metadata key. | object | no | ||
| oidc | specifies to extract a value from the result of an OpenID Connect flow. | object | no | accessToken{}, idToken{} |
|
| tokenExchange | specifies to use the token obtained via token exchange as value. | object | no |
IdentityPropagation.spec.bearerToken.source.clientCertificate
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| issuer | specifies to extract the value from the presented client certificate’s issuer. | object | no | ||
| san | specifies to extract the value from the presented client certificate’s subject alternative names.' | object | no | ||
| subject | specifies to extract the value from the presented client certificate’s subject. | object | no |
IdentityPropagation.spec.bearerToken.source.clientCertificate.issuer
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | specifies the field to extract as value. If the certificate contains multiple occurrences of the field, all their values are joined into a comma-separated list. |
enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
IdentityPropagation.spec.bearerToken.source.clientCertificate.san
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| type | specifies to extract subject alternative names with this type. If there are multiple such SANs, they are joined into a comma-separated list. |
enum | yes | DNS, Email, IPAddress, URI |
IdentityPropagation.spec.bearerToken.source.clientCertificate.subject
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | specifies the field to extract as value. If the certificate contains multiple occurrences of the field, all their values are joined into a comma-separated list. |
enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
IdentityPropagation.spec.bearerToken.source.jwt
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire JWT will be used as value. | string | no |
IdentityPropagation.spec.bearerToken.source.metadata
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| key | specifies the metadata key from which to load the value, e.g. some_payload.aud. |
string | yes | ||
| namespace | specifies the metadata namespace within which the lookup should be performed, e.g. envoy.filters.http.jwt_authn. |
string | yes |
IdentityPropagation.spec.bearerToken.source.oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| accessToken | specifies to use the OpenID Connect Access Token as value. | object | no | {} |
|
| idToken | specifies to extract the value from the OpenID Connect ID Token. | object | no |
IdentityPropagation.spec.bearerToken.source.oidc.idToken
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. | string | no |
IdentityPropagation.spec.bearerToken.source.tokenExchange
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. Note: If claim is specified, identity propagation will fail if the token obtained from the exchange is not a JWT. |
string | no |
IdentityPropagation.spec.header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the header to set. | string | yes | ||
| value | to propagate to the application. | object | yes |
IdentityPropagation.spec.header.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| source | from which to extract the value. | object | yes | clientCertificate{}, jwt{}, metadata{}, oidc{}, tokenExchange{} |
IdentityPropagation.spec.header.value.source
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientCertificate | specifies to extract a value from the presented client certificate. | object | no | ||
| jwt | specifies to extract a value from a JWT. | object | no | ||
| metadata | specifies to extract a value from an Envoy dynamic filter metadata key. | object | no | ||
| oidc | specifies to extract a value from the result of an OpenID Connect flow. | object | no | accessToken{}, idToken{} |
|
| tokenExchange | specifies to use the token obtained via token exchange as value. | object | no |
IdentityPropagation.spec.header.value.source.clientCertificate
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| issuer | specifies to extract the value from the presented client certificate’s issuer. | object | no | ||
| san | specifies to extract the value from the presented client certificate’s subject alternative names.' | object | no | ||
| subject | specifies to extract the value from the presented client certificate’s subject. | object | no |
IdentityPropagation.spec.header.value.source.clientCertificate.issuer
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | specifies the field to extract as value. If the certificate contains multiple occurrences of the field, all their values are joined into a comma-separated list. |
enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
IdentityPropagation.spec.header.value.source.clientCertificate.san
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| type | specifies to extract subject alternative names with this type. If there are multiple such SANs, they are joined into a comma-separated list. |
enum | yes | DNS, Email, IPAddress, URI |
IdentityPropagation.spec.header.value.source.clientCertificate.subject
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | specifies the field to extract as value. If the certificate contains multiple occurrences of the field, all their values are joined into a comma-separated list. |
enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
IdentityPropagation.spec.header.value.source.jwt
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire JWT will be used as value. | string | no |
IdentityPropagation.spec.header.value.source.metadata
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| key | specifies the metadata key from which to load the value, e.g. some_payload.aud. |
string | yes | ||
| namespace | specifies the metadata namespace within which the lookup should be performed, e.g. envoy.filters.http.jwt_authn. |
string | yes |
IdentityPropagation.spec.header.value.source.oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| accessToken | specifies to use the OpenID Connect Access Token as value. | object | no | {} |
|
| idToken | specifies to extract the value from the OpenID Connect ID Token. | object | no |
IdentityPropagation.spec.header.value.source.oidc.idToken
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. | string | no |
IdentityPropagation.spec.header.value.source.tokenExchange
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies the JWT claim to extract as value. If omitted, the entire token will be used as value. Note: If claim is specified, identity propagation will fail if the token obtained from the exchange is not a JWT. |
string | no |