Sync Gloo Mesh APIs. Destination Branch: gloo-mesh-v2.7.x

api/gloo.solo.io/admin/v2/dashboard.proto

@@ -0,0 +1,316 @@
+// Configure external authentication to secure the Gloo UI.
+// For example, you can secure the UI by requiring authentication
+// with an OpenID Connect (OIDC) identity provider. To access the Gloo UI,
+// users must authenticate with the OIDC provider, and all requests
+// to retrieve data from the API must be authenticated.
+//
+// For more information, see
+// [Set up external auth]({{< link path="/observability/tools/ui/auth/" >}}).
+//
+// This example sets up OIDC authentication with Google.
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: Dashboard
+// metadata:
+//   name: settings
+//   namespace: gloo-mesh
+// spec:
+//   authn:
+//     oidc:
+//       appUrl: https://localhost:8080
+//       clientId: $CLIENT_ID
+//       clientSecretName: dashboard
+//       issuerUrl: https://accounts.google.com
+//    ```
+syntax = "proto3";
+package admin.gloo.solo.io;
+
+import "extproto/ext.proto";
+import "github.com/solo-io/solo-apis/api/gloo.solo.io/common/v2/approval_state.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/wrappers.proto";
+
+option go_package = "github.com/solo-io/solo-apis/client-go/admin.gloo.solo.io/v2";
+
+option (extproto.hash_all) = true;
+option (extproto.equal_all) = true;
+option (extproto.clone_all) = true;
+
+// Specifications for the resource.
+message DashboardSpec {
+  // Configuration used to authenticate incoming requests.
+  message AuthnConfig {
+    oneof backend {
+      // Configuration for an OpenID Connect (OIDC) identity provider
+      // to secure the Gloo UI with.
+      OidcConfig oidc = 1;
+    }
+  }
+  // Configuration used to authorize incoming requests.
+  message AuthzConfig {
+    oneof backend {
+      // Enable multicluster RBAC so that RBAC resources in workload clusters 
+      // are used to determine whether users can view resources in the Gloo UI.
+      // To use multicluster RBAC, the Gloo UI and the workload clusters must
+      // use the same identity source, such as an OIDC provider with the same
+      // user and group claims. When using OIDC, make sure to configure the
+      // `userMapping` field.
+      MultiClusterRbac multi_cluster_rbac = 1;
+    }
+  }
+
+  // Configuration used to authenticate incoming requests.
+  AuthnConfig authn = 1;
+  // Configuration used to authorize incoming requests.
+  AuthzConfig authz = 2;
+}
+
+// Enable multicluster RBAC so that RBAC resources in workload clusters 
+// are used to determine whether users can view resources in the Gloo UI.
+// To use multicluster RBAC, the Gloo UI and the workload clusters must
+// use the same identity source, such as an OIDC provider with the same
+// user and group claims. When using OIDC, make sure to configure the
+// `userMapping` field.
+message MultiClusterRbac {
+
+}
+
+// Configuration for session data storage.
+message SessionConfig {
+  // Store all session data in a cookie header. This is the default.
+  message CookieSession {}
+
+  // Store the session data in a Redis instance.
+  message RedisSession {
+    // The address of the Redis instance to use, in the format `address:port` or `unix://path-to-unix.sock`.
+    string host = 1;
+
+    // The Redis database to use, indexed to start at `0`.
+    // If unset, defaults to `0`.
+    int32 db = 2;
+
+    // The maximum number of connections to establish at once.
+    // If unset, defaults to 10 connections per CPU.
+    int32 pool_size = 3;
+
+    // Redis key prefix.
+    string key_prefix = 4;
+
+    // The name of the cookie header to set and store the session ID.
+    // If unset, defaults to `"__session”`.
+    string cookie_name = 5;
+
+    // Refresh expired ID tokens by using the refresh token. Defaults to true.
+    // To disable refreshing, set this field to false.
+    google.protobuf.BoolValue allow_refreshing = 6;
+  }
+
+  // Configuration for storing the session data in a session cookie header.
+  message CookieOptions {
+    // Max age of the cookie. If unset, defaults to 30.
+    // To disable expiration, set this field to 0.
+    google.protobuf.UInt32Value max_age = 1;
+
+    // Use an insecure cookie.
+    // Only set this field to true when testing in trusted environments.
+    bool not_secure = 2;
+
+    // Path of the cookie. Defaults to "/".
+    // To disable this option, set this field to "".
+    google.protobuf.StringValue path = 3;
+
+    // Domain of the cookie.
+    string domain = 4;
+  }
+
+  // Configuration for storing the session data in the session cookie.
+  CookieOptions cookie_options = 1;
+
+  oneof backend {
+    // Store the session data in the session cookie.
+    CookieSession cookie = 2;
+
+    // Store the session data in a Redis instance.
+    RedisSession redis = 3;
+  }
+}
+
+// Configuration for an OpenID Connect (OIDC) identity provider
+// to secure the Gloo UI with.
+message OidcConfig {
+  // The client ID from the OIDC provider.
+  string client_id = 1;
+
+  // The client secret from the OIDC identity provider.
+  // Stored in a secret that you created in advance in the same namespace as the Gloo UI.
+  // To change this name such as to rotate the secret, you must restart the gloo-mesh-ui pod after the upgrade.
+  string client_secret_name = 2;
+
+  // The URL to connect to the OIDC identity provider,
+  // often in the format `https://<domain>.<provider_url>/`.
+  // Gloo looks for OIDC information in `{{ issuerURL }}/.well-known/openid-configuration`.
+  string issuer_url = 3;
+
+  // Extra query parameters to apply to authorization requests to the
+  // identity provider. For example, you might use the
+  // [PKCE flow](https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
+  // by setting `code_challenge` and `code_challenge_method`.
+  map<string, string> auth_endpoint_query_params = 4;
+
+  // Extra query parameters to apply to token requests to the identity
+  // provider. For example, you might use the
+  // [PKCE flow](https://www.oauth.com/oauth2-servers/pkce/authorization-request/)
+  // by setting `code_challenge` and `code_challenge_method`.
+  map<string, string> token_endpoint_query_params = 5;
+
+  // The URL that the Gloo UI is exposed at, such as 'https://localhost:8090',
+  // to redirect to after successful authentication.
+  string app_url = 6;
+
+  // Path to handle the OIDC callback.
+  string callback_path = 7;
+
+  // Path used to logout.
+  // If unset or empty, logout is disabled.
+  string logout_path = 8;
+
+  // Scopes to request in addition to 'openid'.
+  repeated string scopes = 9;
+
+  // Configuration for session storage.
+  SessionConfig session = 10;
+
+  // OIDC configuration is discovered at `<issuerUrl>/.well-known/openid-configuration`.
+  // You can use the `discoveryOverride` section
+  // to override [this discovery configuration](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+  message DiscoveryOverride {
+    // URL of the provider authorization endpoint.
+    string auth_endpoint = 1;
+
+    // URL of the provider token endpoint.
+    string token_endpoint = 2;
+
+    // URL of the provider JSON web key set.
+    string jwks_uri = 3;
+
+    // List of scope values that the provider supports.
+    repeated string scopes = 4;
+
+    // List of response types that the provider supports.
+    repeated string response_types = 5;
+
+    // List of subject identifier types that the provider supports.
+    repeated string subjects = 6;
+
+    // List of JSON web signature signing algorithms that the provider
+    // supports for encoding claims in a JWT.
+    repeated string id_token_algs = 7;
+
+    // List of client authentication methods supported by the provider
+    // token endpoint.
+    repeated string auth_methods = 8;
+
+    // List of claim types that the provider supports.
+    repeated string claims = 9;
+  }
+
+  // Ensure that certain values are set regardless of what the OIDC
+  // provider returns.
+  DiscoveryOverride discovery_override = 11;
+
+  // How often to poll the OIDC issuer for new configuration.
+  // For information about the value format, see the [Google protocol buffer documentation](https://protobuf.dev/reference/protobuf/google.protobuf/#duration).
+  google.protobuf.Duration discovery_poll_interval = 12;
+
+  // If a user sends a request with a key that is not found in the
+  // JWKS, the keys might have rotated on the remote source,
+  // but not yet in the local cache. Use this policy to configure
+  // how to refresh the local cache when handling a request that
+  // provides an invalid key.
+  JwksOnDemandCacheRefreshPolicy jwks_cache_refresh_policy = 13;
+
+  // If set, the ID token is used to infer user identity,
+  // which can be used to make authorization decisions.
+  // If unset or empty, no authorization is made.
+  UserMapping user_mapping = 14;
+
+  // A name of a config map that contains the root certificate to use
+  // when connecting to the OIDC provider. The config map must contain
+  // a key named "ca.crt" with the PEM-encoded CA.
+  // To change this name such as to rotate the config map, you must restart the gloo-mesh-ui pod after the upgrade.
+  string ca_cert_configmap_name = 15;
+}
+
+// The [json web key set (JWKS)](https://datatracker.ietf.org/doc/html/rfc7517) is
+// discovered at an interval from a remote source. When keys rotate in
+// the remote source, there might be a delay before the local source picks
+// up those new keys. In this case, a user might execute a request with a
+// token that is signed by a key that is in the remote JWKS,
+// but isn't in the local cache yet. The request fails because the
+// key isn't contained in the local set. Because most IdPs publish key
+// keys in their remote JWKS before they are used, this is typically
+// not an issue. However, you can use this policy to define how to handle
+// user tokens that have a key that is not yet in the local cache.
+message JwksOnDemandCacheRefreshPolicy {
+  oneof policy {
+    // Never refresh the local JWKS cache on demand. If a key is not
+    // in the local cache, it is assumed to be malicious. This is the
+    // default policy, because IdPs typically publish keys before
+    // they rotate them, and frequent polling finds the newest keys.
+    // For information about the value format, see the [Google protocol buffer documentation](https://protobuf.dev/reference/protobuf/google.protobuf/#empty).
+    google.protobuf.Empty never = 1;
+
+    // If a key is not in the cache, fetch the most recent keys from
+    // the IdP and update the cache. NOTE: Use this setting only
+    // in trusted environments, because each missing key triggers
+    // a request to the IdP. When used in an environment that is exposed
+    // to the internet, malicious agents can execute a DDoS
+    // attack by spamming protected endpoints with tokens signed by
+    // invalid keys.
+    // For information about the value format, see the [Google protocol buffer documentation](https://protobuf.dev/reference/protobuf/google.protobuf/#empty).
+    google.protobuf.Empty always = 2;
+
+    // If a key is not in the cache, fetch the most recent keys from
+    // the IdP and update the cache. This value sets the number of
+    // requests to the IdP per polling interval. If that limit is
+    // exceeded, fetching from the IdP stops for the
+    // remainder of the polling interval.
+    uint32 max_idp_req_per_polling_interval = 3;
+  }
+}
+
+// Settings to ensure that the identity that is derived from the ID
+// token matches the Kubernetes identity.
+message UserMapping {
+  // The JWT field to use as the user's username.
+  string username_claim = 1;
+
+  // Add a prefix to each mapped username.
+  // For example, the value `oidc:` results in usernames such as `oidc:john`.
+  string username_prefix = 2;
+
+  // Configure the OIDCAuthenticator to try to populate the user's
+  // groups with an ID Token field.
+  // If the GroupsClaim field is present in an ID Token, the value
+  // must be a string or list of strings.
+  string  groups_claim = 3;
+
+  // Add a prefix to each mapped group name.
+  // For example, the value `oidc:` results in group names such as `oidc:engineering`.
+  string groups_prefix = 4;
+}
+
+message DashboardStatus {
+
+  // The most recent generation observed in the Dashboard metadata.
+  // If the `observedGeneration` does not match `metadata.generation`,
+  // Gloo has not processed the most recent version of this resource.
+  int64 observed_generation = 1;
+
+  // Whether the resource has been accepted as valid and processed in the Gloo config translation.
+  .common.gloo.solo.io.ApprovalState state = 2;
+
+  // Any errors encountered while translating the Dashboard resource.
+  repeated string errors = 3;
+}