Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

rename annotation

Browse Source
This commit is contained in:
snothub
2026-03-26 13:25:53 +01:00
parent 5640a5ca4a
commit 8029b7816d
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cluster-resources/policies/auth-sidecar-injector.yaml
View File

@@ -10,7 +10,7 @@ metadata:
policies.kyverno.io/severity: medium policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >- policies.kyverno.io/description: >-
Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. The sidecar port defaults to 8080 and can be overridden via the policies.forteapps.io/auth-sidecar-port annotation. A NetworkPolicy is generated to restrict ingress to the sidecar port only. Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". Supports three auth modes controlled by the policies.forteapps.io/auth-type annotation: "token" (default), "oidc", and "mcp". In token mode the sidecar reads credentials from a mounted Secret volume. In OIDC mode the sidecar uses OpenID Connect with authority and client-id provided via required annotations (policies.forteapps.io/auth-oidc-authority and policies.forteapps.io/auth-oidc-client-id) and secrets from an auth-oidc Secret. In MCP mode the sidecar implements OAuth 2.0 for MCP servers per RFC 9728 (Protected Resource Metadata) and RFC 7591 (Dynamic Client Registration), configured via policies.forteapps.io/auth-mcp-resource and policies.forteapps.io/auth-mcp-authority annotations. The sidecar port defaults to 8080 and can be overridden via the policies.forteapps.io/auth-port annotation. A NetworkPolicy is generated to restrict ingress to the sidecar port only.
spec: spec:
background: false background: false
rules: rules:
@@ -121,7 +121,7 @@ spec:
jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
- name: sidecarPort - name: sidecarPort
variable: variable:
jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '8080')
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
@@ -202,7 +202,7 @@ spec:
jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
- name: sidecarPort - name: sidecarPort
variable: variable:
jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '8080')
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
@@ -295,7 +295,7 @@ spec:
jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
- name: sidecarPort - name: sidecarPort
variable: variable:
jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '8080')
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
@@ -374,7 +374,7 @@ spec:
jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
- name: sidecarPort - name: sidecarPort
variable: variable:
jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '8080')
mutate: mutate:
patchStrategicMerge: patchStrategicMerge:
spec: spec:
@@ -469,7 +469,7 @@ spec:
context: context:
- name: sidecarPort - name: sidecarPort
variable: variable:
jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-sidecar-port" || '8080') jmesPath: to_number(request.object.metadata.annotations."policies.forteapps.io/auth-port" || '8080')
generate: generate:
synchronize: false synchronize: false
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1